The certificate_revoked alert (TLS alert code 44) is sent by the TLS peer (either client or server) when it determines that the other side's certificate has been revoked. The peer checked the certificate's revocation status through OCSP (Online Certificate Status Protocol) or a CRL (Certificate Revocation List) and found it on the revoked list. This is the TLS-level equivalent of the browser's ERR_CERT_REVOKED. Certificate revocation occurs when the private key is compromised, the certificate was fraudulently issued, or the certificate holder requested revocation. Unlike the browser error, this TLS alert can also appear in server-to-server communications and API calls.
The private key associated with the certificate was exposed through a security incident, and the Certificate Authority revoked the certificate at the request of the certificate holder or after being notified of the compromise.
A new certificate was issued to replace the current one (due to renewal, re-keying, or CA migration), and the CA revoked the previous certificate. If the server still serves the old certificate, peers that check revocation will reject it.
The Certificate Authority discovered a compliance issue affecting a batch of certificates and revoked them all. This has happened with several CAs when mis-issuance was discovered after the fact.
Query the OCSP responder to confirm the certificate's revocation status and get details about when and why it was revoked.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -status 2>/dev/null | grep -A5 'OCSP Response'
Generate a completely new private key and request a new certificate. Do not reuse the old private key, as it may have been compromised.
openssl genrsa -out new-key.pem 2048 && openssl req -new -key new-key.pem -out new-csr.pem -subj '/CN=yourdomain.com'
Install the new certificate and key on the server, update the web server configuration to reference the new files, and reload the service.
sudo nginx -t && sudo systemctl reload nginx
After deployment, confirm the server is presenting the new, non-revoked certificate to clients.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -serial -dates
The server's SSL certificate has been revoked by its Certificate Authority and is no longer trusted.
A certificate in the TLS handshake was corrupt, contained invalid signatures, or could not be parsed.
The certificate was rejected for a reason not covered by other specific TLS certificate alerts.