← Concepts
General Security ConceptsSY0-701 · Task 1.4

Certificate authorities and revocation — SY0-701

How certificate authorities issue and revoke digital certificates, CRL vs. OCSP, and the trust hierarchy — for CompTIA Security+ SY0-701 exam prep.

WHAT IT IS

A certificate authority (CA) is a trusted entity that issues and revokes public key certificates. (Source: NIST SP 1800-16B via NISTIR 8149.) A public key certificate is a digital document, issued and digitally signed by the CA's private key, that binds an identifier to a subscriber's public key. (Source: FIPS 201-3, SP 800-57.) When the binding between a certificate and the identity it asserts must be permanently ended before the certificate's natural expiration, that process is called revocation — defined as "the process of permanently ending the binding between a certificate and the identity asserted in the certificate from a specified time forward." (Source: CNSSI 4009-2015.)

Mental model

Think of a CA as a passport office. The passport office (CA) signs and issues passports (certificates) that prove a person's identity (public key binding). Border agents trust the passport because they trust the issuing office. When a passport is reported stolen or fraudulent, the office publishes an invalidation notice — that notice is the revocation mechanism. The key insight is that trust flows from the issuer: if you trust the CA, you trust the certificates it has signed and has not revoked.

A root CA sits at the top of this hierarchy. A root certificate is a self-signed certificate issued by a root CA, typically installed securely on systems to enable them to verify end-entity certificates they receive. (Source: NIST SP 1800-16B.) Below the root, subordinate CAs (sometimes called intermediate CAs) are certified by the root and can themselves issue certificates to end entities, extending the hierarchy without exposing the root's private key to routine use.

A registration authority (RA) is an entity authorized by the CA system to collect, verify, and submit information provided by potential subscribers before certificates are issued — it handles identity vetting but does not sign certificates itself. (Source: CNSSI 4009-2015, SP 800-57.)

When to use it — CRL vs. OCSP

There are two primary mechanisms by which a relying party can check whether a certificate has been revoked before the certificate's stated expiration date.

MechanismWhat it isHow a relying party uses itKey tradeoff
CRL (Certificate Revocation List)A digitally signed list of revoked public key certificates created and signed by a CA (NIST SP 800-57)Periodically download the full list; check whether the certificate's serial number appears on itBatch download; list may be stale between publications
OCSP (Online Certificate Status Protocol)An online protocol used to determine the status of a public key certificate (FIPS 201-3, RFC 6960)Send a real-time per-certificate query to an OCSP responder; receive a signed status responseNear-real-time freshness; requires live connectivity to the responder

Both mechanisms answer the same question — "is this certificate still valid right now?" — but they differ in how current the answer is and what infrastructure they require.

COMMON MISCONCEPTION

Expiration and revocation are not the same thing. A certificate expires when its validity period ends — that is a scheduled, anticipated event. Revocation, by contrast, is the permanent, early termination of the binding between a certificate and the identity it asserts, effective from a specified time forward. (Source: CNSSI 4009-2015.) A certificate can be revoked well before it expires — for example, if the private key is compromised. After revocation, the certificate must not be trusted even though it has not yet reached its expiration date. Candidates who conflate the two may reason that an unexpired certificate is necessarily trustworthy; a revocation check is what closes that gap.

A related trap: the RA does not issue certificates. The RA collects and verifies subscriber information; the CA retains the exclusive authority to sign and issue. (Source: CNSSI 4009-2015, SP 800-57.)

How it shows up on the exam

Questions on this concept typically assess application and analysis — they present a scenario (a private key is compromised, an employee is terminated, a certificate is flagged as fraudulent) and ask what action should be taken or which mechanism would address the situation. Candidates often confuse:

  • Revocation with expiration (see above) — a scenario involving a key compromise requires revocation, not waiting for expiration.
  • CRL and OCSP — questions may describe a need for near-real-time status checking, where OCSP is the appropriate mechanism, versus a scenario where a periodically updated list is acceptable, where a CRL fits.
  • The CA's role versus the RA's role — signal phrases include "who signs the certificate" (CA) versus "who verifies the applicant's identity before issuance" (RA).

The cognitive target is distinguishing between mechanisms that serve the same purpose (revocation checking) but differ in operational characteristics, and understanding which entity in a PKI hierarchy has authority to perform which action.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.