ERR_CERT_REVOKED

Certificate Revoked

criticalBrowser Error

ERR_CERT_REVOKED means the browser checked the certificate's revocation status (via CRL or OCSP) and found that the Certificate Authority has explicitly revoked it. Certificate revocation happens when a certificate's private key is compromised, the certificate was fraudulently issued, the domain ownership changed, or the organization requested revocation. Once revoked, the certificate is permanently invalidated regardless of its expiration date. Browsers that check revocation status will refuse to establish a connection with a revoked certificate because it can no longer be trusted to authenticate the server.

Common Causes

Private key was compromised

high

If the server's private key was exposed (through a security breach, accidental publication, or server compromise), the Certificate Authority revokes the certificate to prevent its misuse. The site owner or the CA may have initiated the revocation.

Certificate was reissued and the old one was revoked

high

When a new certificate is issued to replace an existing one, the CA often revokes the old certificate. If the server is still serving the old certificate instead of the new one, browsers will see it as revoked.

CA revoked certificates due to compliance issues

medium

Certificate Authorities sometimes perform mass revocations when they discover that certificates were issued improperly (e.g., without proper domain validation or with technical flaws). This has affected thousands of certificates at once in past incidents.

How to Fix It

Verify revocation status via OCSP

Check the certificate's OCSP responder to confirm whether the certificate is actually revoked. The OCSP URL is embedded in the certificate's Authority Information Access extension.

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -ocsp_uri

Check the certificate serial number against CRL

Download the Certificate Revocation List from the CA and check if your certificate's serial number appears in it.

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -serial

Obtain a new certificate

A revoked certificate cannot be un-revoked. You must obtain a new certificate. Generate a new private key (do not reuse the potentially compromised one), create a new CSR, and request a fresh certificate from your CA.

openssl genrsa -out new-key.pem 2048 && openssl req -new -key new-key.pem -out new-csr.pem

Install the new certificate and restart

Replace the old certificate and key files on your server with the new ones. Restart or reload the web server to pick up the changes.

sudo systemctl reload nginx

Related Error Codes

ERR_CERT_AUTHORITY_INVALID

Certificate Authority Invalid

The browser does not trust the Certificate Authority that signed the server's SSL certificate.

certificate_revoked (44)