If you’ve spent any time in cybersecurity, you’ve likely heard the golden rule, “Always use HTTPS in production”. It’s the go-to advice for securing web communications, and for good reason, it encrypts data-in-transit. In other words, HTTPS protects sensitive information from eavesdropping. But when it comes to Public Key Infrastructure (PKI), particularly for managing certificate revocation, that rule doesn’t always hold. At Encryption Consulting, we bring our extensive experience working with Fortune 500 companies, federal contractors, and cloud-native enterprises to design robust PKI systems. One question we have been asked a lot is: “Shouldn’t we use HTTPS for our revocation endpoints, like CRLs and OCSP?”
The answer might surprise you: often in these cases, HTTPS does more harm than good. Let’s dive into why HTTP can be the smarter choice in PKI for revocation endpoints.
Revocation Information is Digitally Signed by CA
When a certificate is revoked, for example, due to a compromised key or a policy violation, the issuing Certificate Authority (CA) must notify relying parties. This happens through two primary methods. Certificate Revocation Lists (CRLs) are signed files published periodically, listing all certificates that have been revoked. Alternatively, the Online Certificate Status Protocol (OCSP) provides real-time status checks for individual certificates. What both methods have in common is that the CA cryptographically signs them. This signature ensures the data’s authenticity and integrity, whether it’s delivered over HTTP, HTTPS, or even an old-school USB drive.
If someone tries to tamper with a CRL or OCSP response in transit, the relying party’s validation check will fail, rejecting the data outright. So, what does HTTPS add in this context? In most cases, not much.
Unexpected Risks of HTTPS in PKI
You might wonder why HTTPS isn’t the default, given its security benefits. The answer lies in a subtle but critical issue outlined in RFC 5280, the standard governing X.509 certificates and CRLs. This standard advises against using HTTPS for Certificate Distribution Points (CDPs) or Authority Information Access (AIA) fields. The problem is something called a circular dependency in the scenario, where the CRL or OCSP endpoint is hosted over HTTPS. That HTTPS service relies on a certificate to establish trust. To validate a certificate, a relying party must check its revocation status.
However, if the revocation status is hosted on the same HTTPS endpoint, we become caught in an endless loop. RFC 5280 refers to this as “unbounded recursion,” and it’s not just a theoretical concern; rather, it can lead to real-world validation failures, breaking trust chains and disrupting services.
We observed this issue with a federal contractor client that faced stringent DoD and FedRAMP compliance requirements. Their security policy mandated the use of HTTPS for all endpoints, including CRLs and OCSP responders. Unfortunately, this setup resulted in certificate validation errors during TLS handshakes, leading to cascading failures across their firewalls and services. And that’s how fatal the circular dependency can be. And specifically in this case, it was created by the HTTPS-hosted revocation endpoints. By redesigning their infrastructure to serve signed CRLs and OCSP responses over plain HTTP, we eliminated the recursion loop and restored functionality without compromising security or compliance.
In our PKI-as-a-Service platform, we take a similar approach, serving revocation data over HTTP with embedded signatures and tight caching controls. This simplifies validation across cloud environments and prevents similar failures from occurring.
When HTTPS Might Be the Right Choice
There are scenarios where HTTPS can make sense for revocation endpoints, but they require careful planning and consideration. For example, if you’re concerned about privacy, such as preventing metadata leaks that reveal which certificates are being checked, HTTPS can encrypt OCSP queries and responses. It’s also viable in tightly controlled environments with pinned certificates, where you can ensure the HTTPS certificate’s revocation status is validated through a separate, independent path. Another option is using out-of-band validation to avoid circular dependencies altogether. However, these cases are the exception, not the rule, and they demand meticulous architecture to avoid introducing new risks.
A Smarter Alternative is OCSP Stapling
If you want to sidestep live OCSP lookups entirely, there’s a better option of OCSP stapling. This approach allows the server to fetch and cache an OCSP response, then “staple” it to the certificate during the TLS handshake. This eliminates the need for clients to query an OCSP responder directly, improving performance by reducing external calls, enhancing privacy by keeping validation details server-side, and boosting resilience in case the OCSP responder is temporarily unavailable.
How Encryption Consulting Makes PKI Work for You
At Encryption Consulting, we don’t just talk about standards, we build systems that put them into practice. Whether you’re deploying Microsoft ADCS, leveraging cloud-based CAs like AWS Private CA or Azure Key Vault, using open-source solutions like EJBCA, or adopting our PKI-as-a-Service platform, we ensure your revocation infrastructure is secure and reliable. We design systems that deliver signed revocation data over HTTP without breaking validation, implement high-availability OCSP and CRL responders, and integrate revocation checks into CI/CD pipelines and Zero Trust environments. Our CertSecure Manager platform automates certificate lifecycle management, ensuring your operations run smoothly. Most importantly, we help you avoid circular trust loops by carefully validating any HTTPS endpoints independently.
Conclusion
In PKI, security isn’t just about encryption; it’s about ensuring data is signed, trusted, and accessible without breaking the trust chain. HTTPS has its place, but for certificate revocation, HTTP often gets the job done more reliably. At Encryption Consulting, we design PKI systems that strike a balance between standards and real-world performance, helping you avoid pitfalls that could disrupt uptime or compliance.
Ready to build a future-proof PKI? Contact our PKI experts at [email protected] or visit https://www.encryptionconsulting.com to discover how we can assist you.
