x509check_revocation_status

x509check_revocation_status

Certificates | x509 certificates

An X.509 certificate is a digital certificate based on the widely accepted International Telecommunications Union (ITU) X.509 standard, which defines the format of public key infrastructure (PKI) certificates. They are used to manage identity and security in internet communications and computer networking. They are unobtrusive and ubiquitous, and we encounter them every day when using websites, mobile apps, online documents, and connected devices. 1

The certificate is also a confirmation or validation by an trusted Certificate Authority (CA) that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate.

For many reasons, primary, security reasons, we may want to revoke the validity of an X.509 certificate. In a nutshell, an X.509 certificate should be revoked when:

  • Encryption keys of the certificate have been compromised.
  • Errors occur within an issued certificate.
  • We want to change the usage of the certificate.
  • Certificate owner is no longer deemed trusted.

The Netdata Agent checks the X.509 certificate revocation status (0: revoked, 1: valid). This alert indicates that the X.509 certificate has been revoked. Check more about the x509 certificate monitoring with Netdata

This alert is triggered in critical state when the X.509 certificate is available and not valid.

Where and why we need X.509 certificates

The following provides a comprehensive explanation from the sectigo’s website 1

Common Applications of X.509 Public Key Infrastructure Many internet protocols rely on X.509, and there are many applications of the PKI technology that are used every day, including Web server security, digital signatures and document signing, and digital identities.

  • Web Server Security with TLS/SSL Certificates:
    PKI is the basis for the secure sockets layer (SSL) and transport layer security (TLS) protocols that are the foundation of HTTPS secure browser connections. Without SSL certificates or TLS to establish secure connections, cybercriminals could exploit the Internet or other IP networks using a variety of attack vectors, such as man-in-the-middle attacks, to intercept messages and access their contents.

  • Digital Signatures and Document Signing:
    In addition to being used to secure messages, PKI-based certificates can be used for digital
    signatures and document signing. Digital signatures are a specific type of electronic signature
    that leverages PKI to authenticate the identity of the signer and the integrity of the signature
    and the document. Digital signatures cannot be altered or duplicated in any way, as the signature
    is created by generating a hash, which is encrypted using a sender’s private key. This
    cryptographic verification mathematically binds the signature to the original message to ensure
    that the sender is authenticated and the message itself has not been altered.

  • Code Signing:
    Code Signing enables application developers to add a layer of assurance by digitally signing
    applications, drivers, and software programs so that end users can verify that a third party has
    not altered or compromised the code they receive. To verify the code is safe and trusted, these
    digital certificates include the software developer’s signature, the company name, and
    timestamping.

  • Email Certificates:
    S/MIME certificates validate email senders and encrypt email contents to protect against
    increasingly sophisticated social engineering and spear phishing attacks. By encrypting/decrypting
    email messages and attachments and by validating identity, S/MIME email certificates assure users
    that emails are authentic and unmodified.

  • SSH Keys:
    SSH keys are a form of X.509 certificate that provides a secure access credential used in the
    Secure Shell (SSH) protocol. As the SSH protocol is widely used for communication in cloud
    services, network environments, file transfer tools, and configuration management tools, most
    organizations use SSH keys to authenticate identity and protect those services from unintended use
    or malicious attacks. SSH keys not only improve security, but also enable the automation of
    connected processes, single sign-on (SSO), and identity and access management at the scale that
    today’s businesses require.

  • Digital Identities:
    X.509 digital certificates also provide effective digital identity authentication. As data and
    applications expand beyond traditional networks to mobile devices, public clouds, private clouds,
    and Internet of Things devices, securing identities becomes more important than ever. And digital
    identities don’t have to be restricted to devices; they can also be used to authenticate people,
    data, or applications. Digital identity certificates based on this standard enable organizations
    to improve security by replacing passwords, which attackers have become increasingly adept at
    stealing.

See more about the Certificate Authorities

A certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

Popular CAs

  1. https://letsencrypt.org/
  2. Broadcom SaaS
  3. https://www.geotrust.com/
  4. https://sectigo.com/
  5. https://www.digicert.com/
References and source
  1. X.509 explained

Troubleshooting section

A revocation of a certificate is irreversible. That means that this certificate is no longer
useful. You must stop using it in any way.