Certificate Lifecycle and Revocation
Follow a certificate from issuance through renewal to revocation, and learn how CRL and OCSP communicate revocation status in real time.
The Certificate Lifecycle
Every digital certificate follows a defined lifecycle from creation to retirement. The stages are: Request and Enrollment (generate key pair, create CSR), Issuance (CA validates and signs), Deployment (install on server or device), Use (active operational period), Renewal (before expiry), and Revocation or Expiry (end of life). Managing this lifecycle at scale — especially in enterprises with thousands of certificates — requires automation and certificate lifecycle management (CLM) tools, as manual tracking inevitably leads to expired certificates causing outages.
Certificate Signing Request (CSR)
The certificate lifecycle begins with a Certificate Signing Request (CSR). The requestor generates a key pair, then creates a CSR that contains the public key, subject information (CN, O, C), and is signed with the private key (proving ownership of the private key without revealing it). The CSR is submitted to the CA, which validates the requestor's identity and, if approved, signs the certificate. The private key never leaves the requestor's possession. CSR generation is the critical step where key strength is determined — using a minimum of 2048-bit RSA or 256-bit ECC.
# Complete CSR generation workflow
# Step 1: Generate private key (RSA 2048)
openssl genrsa -out server.key 2048
# Step 2: Create CSR with all required fields
openssl req -new -key server.key -out server.csr \
-subj '/CN=www.example.com/O=Example Corp/OU=IT/C=US/ST=CA/L=San Jose'
# Step 3: Verify CSR content before submitting
openssl req -in server.csr -noout -text | grep -A5 'Subject'All lessons in this course
- Certificate Authorities and Trust Chains
- X.509 Certificate Structure
- Certificate Lifecycle and Revocation
- PKI Use Cases: HTTPS, S/MIME, and Code Signing