Certificate Revocation

ReversingLabs maintains a certificate revocation database that is updated with each Spectra Core release. Because the database is offline, some recently revoked certificates may not appear as revoked until the next update.

Certificate Authority (CA) revocation alone is not sufficient to classify a sample as malicious. Most CAs backdate revocations to the certificate's issuance date, regardless of when or whether the certificate was abused.

When additional context is available, ReversingLabs adjusts the revocation date to reflect the most appropriate point in time. If a certificate is whitelisted, this correction is not applied.

Searching for Revoked Certificates

You can find samples signed with revoked certificates using Advanced Search with the tag:cert-revoked keyword.

Advanced Search is available both through the Spectra Analyze user interface and as the TCA-0320 Advanced Search API.

Searching for Revoked Certificates​

Searching for Revoked Certificates