Users and servers communicate via unencrypted messages unless the website owners use SSL certificates. A valid SSL certificate ensures that communication is secure. Therefore, someone who intercepts packages in the network cannot read the data. Certificates are useful and easy to configure most of the time. However, in some cases, the connection may become unprotected and you may see the error message ERROR_INTERNET_SEC_CERT_REVOKED or ERR_CERT_REVOKED.
I came across “certificate has been revoked” message in a website hosted at GoDaddy. Everything was fine and SSL certificate was valid. One day, I visited the site and saw this annoying warning page in Chrome and Edge.
ERROR_INTERNET_SEC_CERT_REVOKED in Microsoft Edge
Here is the full error message Microsoft Edge browser displays when the website has a revoked certificate:
This site is not secure
This might mean that someone’s trying to fool you or steal any info to the server. You should close this site immediately.
This website’s security certificate has been revoked, so you can’t go there at this time.
Error Code: ERROR_INTERNET_SEC_CERT_REVOKED
ERR_CERT_REVOKED error in Google Chrome
Chrome displays a slightly different error message but it mentiones the same problem: A revoked certificate.
Your connection is not private
Attackers might be trying to steal your information from domain.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_REVOKED
If you see ” Your connection to this site is not fully secure” message in your browser’s URL bar, check this post out.
Internet Explorer and Mozilla Firefox show similar warning pages as well (It is SEC_ERROR_REVOKED_CERTIFICATE in Firefox). Let’s see why this issue happens and how to fix it.
The root cause of the “certificate has been revoked” error
When a browser accesses to a website that uses SSL certificate, it needs to check if the certificate is valid. There are two ways of checking the validation of an SSL certificate:
- Using Certificate Revocation Lists (CRLs). The browser downloads a list of all the certificates that were revoked from . If the website you are visiting in this list, you receive a warning.
- Query by using Online Certificate Status Protocol (QCSP). The browser queries the certificate of the website you visit. It is faster and more popular. Many browsers give this method priority.
If the website’s certificate appears in a CRL or QCSP query returns “invalid” message, then the browser display ERROR_INTERNET_SEC_CERT_REVOKED or ERR_CERT_REVOKED message. It doesn’t always mean that the certificate is revoked. The reason behind might be a network or DNS issue that is preventing your computer to access the CRL list providers.
How to fix revoked certificate issues on client side?
You can explicitly configure your browser not to check certificate revocation. This solves the issue on that client but as you guess, the issue will remain for other clients.
In order to disable certificate revocation check for Internet Explorer, follow the steps below.
- Open Internet Explorer
- In the Tools menu, select Internet Options
- Go to the Advanced tab. Scroll down to the Security section
- Uncheck Check for server certificate revocation option
- Click OK
For other browsers, there are similar settings. For example, in Firefox, you can force the usage of OCSP for checking certificate revocation value.
After changing these settings, remove the CRL and OCSP caches by the commands below in the Command Prompt (Source):
certutil -urlcache CRL delete
certutil -urlcache OCSP delete How to fix revoked certificate issues on server side?
It is the best idea to fix certificate revocation issues in your server or hosting provider. Start with making sure of the validity of the certificate. SSL Checker is one of the popular tools to view SSL certificate details.
Compare the certificate serial number and expiration date with the data of the certificate you installed in your web server or hosting control panel. In many cases, I saw that the server uses an old or invalid certificate.
If you are working with a hosting provider, it is possible that you didn’t install the certificate for that particular website. Even if you have a UCC certificate that covers your entire hosting plan, you may still need to install certificate for each of the websites you want to protect. If you are working with GoDaddy, use this article to do this installation.
Do you see “TLS fatal error code 20” code? Here is how to fix it.