OCSP Stapling and CRL Caching: Why Your Revocation Infrastructure Matters for Zero Trust
Certificate revocation is the mechanism that allows Zero Trust systems to invalidate compromised device or user certificates in real time. In practice, revocation infrastructure is frequently misconfigured, unreliable, or bypassed by client caching behavior. This article examines the failure modes and how to build revocation infrastructure that actually works.
Why Revocation Matters for Zero Trust
Zero Trust device trust depends on the ability to revoke a device's certificate when the device is compromised, stolen, or decommissioned. If revocation checking fails — because the CRL is stale, the OCSP responder is unreachable, or the client caches a "good" response — the revoked certificate continues to authenticate.
In a Zero Trust model where device certificates are the primary trust signal, a revoked certificate that still authenticates is a critical security failure.
CRL Caching Behavior
Windows clients cache CRL responses for the duration of the CRL's validity period. A CRL published with a 7-day validity period will be cached for up to 7 days — meaning a certificate revoked today may continue to authenticate for up to 7 days on clients that have already cached the CRL.
For Zero Trust environments requiring rapid revocation, publish CRLs with short validity periods (24 hours or less) and use OCSP for real-time revocation checking.
OCSP Stapling
OCSP stapling allows a server to include a pre-fetched, CA-signed OCSP response in the TLS handshake, eliminating the need for the client to contact the OCSP responder directly. This improves performance and privacy, but requires the server to refresh its stapled OCSP response before it expires.
For ADCS-issued certificates, configure the Online Responder role on your CA infrastructure and enable OCSP stapling on IIS and other services that use server certificates.
Revocation infrastructure is the emergency brake for your PKI. If it does not work reliably, you cannot respond effectively to certificate compromise. Zero Trust architectures that rely on certificate identity without reliable revocation are not actually enforcing Zero Trust — they are enforcing "trust until the cache expires."
- 1Publish CRLs with 24-hour or shorter validity periods for device certificates used in Zero Trust enforcement.
- 2Deploy the ADCS Online Responder role for real-time OCSP checking.
- 3Test revocation: revoke a test certificate and verify it is rejected within your target revocation window.
- 4Monitor CRL publication health — alert on CRL publication failures immediately.
- 5Configure OCSP stapling on all services that use ADCS-issued server certificates.
We consistently find that revocation infrastructure is the least-tested component of enterprise PKI. Organizations spend significant effort on certificate issuance and enrollment but rarely test whether revocation actually works end-to-end. Test your revocation infrastructure today — revoke a test certificate and verify it is rejected within your SLA.
InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.
