Lab-04: PQC Revocation
Lab-04: PQC Revocation
Section titled “Lab-04: PQC Revocation”Incident Response: When Keys Are Compromised
Section titled “Incident Response: When Keys Are Compromised”Key Message: Revoking a PQC certificate works exactly like revoking a classical one. Same workflow, same commands.
The Scenario
Section titled “The Scenario”It’s 3 AM. You receive an alert:
🚨 SECURITY ALERT The private key for server.example.com was detected on GitHub.What do you do?
“We had a security incident. A private key was compromised. How do we revoke a post-quantum certificate?”
The same way you revoke any certificate. PKI operations are algorithm-agnostic.
┌──────────────────────────────────────────────────────────────────┐│ ││ COMPROMISED KEY: The attacker can impersonate your server ││ ││ Attacker ││ │ ││ │ server.key (stolen) ││ ▼ ││ ┌──────────┐ ││ │ Fake │ The attacker can now: ││ │ Server │ - Impersonate server.example.com ││ │ │ - Intercept client traffic ││ │ │ - Sign malicious content ││ └──────────┘ ││ ││ The certificate is still technically "valid". ││ Solution: REVOKE IT IMMEDIATELY ││ │└──────────────────────────────────────────────────────────────────┘What We’ll Do
Section titled “What We’ll Do”- Create a CA (ML-DSA-65) 1b. Issue a TLS certificate
- Revoke the certificate (after key compromise) 2b. Generate a CRL (Certificate Revocation List)
- Verify the revoked certificate is rejected
Run the Demo
Section titled “Run the Demo”./journey/04-revocation/demo.shThe Commands
Section titled “The Commands”Step 1: Create CA
Section titled “Step 1: Create CA”# Create PQC CAqpki ca init --profile profiles/pqc-ca.yaml \ --var cn="PQC CA" \ --ca-dir output/pqc-ca
qpki ca export --ca-dir output/pqc-ca --out output/pqc-ca/ca.crtStep 1b: Issue Certificate
Section titled “Step 1b: Issue Certificate”# Generate ML-DSA-65 key, CSR, and issue certificateqpki csr gen --algorithm ml-dsa-65 \ --keyout output/server.key \ --cn server.example.com \ --out output/server.csr
qpki cert issue --ca-dir output/pqc-ca \ --profile profiles/pqc-tls-server.yaml \ --csr output/server.csr \ --out output/server.crt
# Extract serial number - needed for revocation commandopenssl x509 -in output/server.crt -noout -serialStep 2: Revoke Certificate
Section titled “Step 2: Revoke Certificate”# Revoke certificate with reasonqpki cert revoke <serial> --ca-dir output/pqc-ca --reason keyCompromiseThe certificate is now marked as revoked in the CA database. But clients don’t know yet — we need to publish a CRL.
Step 2b: Generate CRL
Section titled “Step 2b: Generate CRL”# Generate the Certificate Revocation Listqpki crl gen --ca-dir output/pqc-ca
qpki inspect output/pqc-ca/crl/ca.crlThe CRL is now published. Clients can check if certificates are revoked.
Step 3: Verify CRL
Section titled “Step 3: Verify CRL”# Verify certificate against CRL (should fail - certificate is revoked)qpki cert verify output/server.crt \ --ca output/pqc-ca/ca.crt \ --crl output/pqc-ca/crl/ca.crlRevocation Reasons (RFC 5280)
Section titled “Revocation Reasons (RFC 5280)”| Code | Reason | When to Use |
|---|---|---|
| 0 | unspecified | Default, no specific reason |
| 1 | keyCompromise | Private key exposed |
| 2 | cACompromise | CA’s key was compromised |
| 3 | affiliationChanged | Subject’s organization changed |
| 4 | superseded | Replaced by new certificate |
| 5 | cessationOfOperation | Service no longer needed |
Incident Response Workflow
Section titled “Incident Response Workflow”1. DETECT └─► Key compromise discovered (leak, breach, etc.)
2. ASSESS └─► Identify affected certificates (serial numbers)
3. REVOKE └─► qpki cert revoke <serial> --ca-dir <ca> --reason keyCompromise
4. PUBLISH └─► qpki crl gen --ca-dir <ca>
5. NOTIFY └─► Inform relying parties, update distribution points
6. REMEDIATE └─► Issue replacement certificates with new keysNote: Revocation prevents future trust. It does not remove already-installed malware or undo past compromise.
Size Comparison
Section titled “Size Comparison”| Component | Classical (ECDSA) | Post-Quantum (ML-DSA) | Ratio |
|---|---|---|---|
| CRL signature | ~96 bytes | ~3,309 bytes | ~34x |
| CRL total size | ~500 bytes | ~3,800 bytes | ~7.6x |
CRLs are larger due to PQC signatures, but the protocol is unchanged.
CRL size usually remains negligible compared to network traffic.
When Revocation Matters Most
Section titled “When Revocation Matters Most”| Industry | Scenario | Impact |
|---|---|---|
| Financial services | Stolen code signing key | Malicious transactions signed |
| Healthcare | Compromised device cert | Patient data exposed |
| Government | Employee termination | Unauthorized access continues |
| E-commerce | TLS key leaked on GitHub | Man-in-the-middle attacks |
| IoT/Industrial | Factory device breach | Supply chain compromise |
Compliance requirements:
- PCI-DSS: Revoke compromised keys within 24 hours
- HIPAA: Immediate revocation for terminated employees
- SOC 2: Document revocation procedures and response times
What You Learned
Section titled “What You Learned”- Algorithm-agnostic: Revocation workflow is identical for classical and PQC
- CRLs are signed: PQC CRLs have larger signatures
- Same commands: No new tools or procedures needed
- Ops teams: No retraining required for basic PKI operations
References
Section titled “References”← Hybrid | QLAB Home | Next: OCSP →