Certificate View Release 4.5 

July 21, 2025

Revocation Status for Certificates

Revocation of a certificate means canceling the certificate before it expires. This ensures that the certificate is no longer considered valid for secure communication. To support these features, we have added token support, visibility of revoke status on the Certificates tab, a new section for revocation status on the Certificates details page, and the Grade change for revoked certificate grade will be F.

This enhancement provides immediate visibility into the status of certificates, helping you to identify and respond to revoked certificates.

This feature is applicable for external sites only.

Revocation Status Visibility on Certificates Tab

You can now view the revocation status of certificates directly on the listing page under the Certificates tab. A certificate indicates that a website or user is genuine. If the certificate is revoked, it means it is no longer safe to trust. By checking this status, you can avoid connecting to harmful websites and reduce the risk of security issues.

To search for revoked certificates, you can use a QQL query related to revocation status. 

View revoked certificate.

If you know the certificate's status, you can take the necessary action. For example, while archiving, you can label the correct reason for archival. So now, when you move the certificate to archived, you are aware of the reason, such as it being revoked.

Revocation Information Section on Certificates Details Page

You can view the certificate status label displayed beneath the certificate name.

  • If the certificate is valid, the label is shown in green.
  • If the certificate is valid but will expire within 90 days, it is shown in yellow.
  • If the certificate is expired or revoked, the label is shown in red.

View the status label displayed under the certificate name.

We have added a section dedicated to revocation information in the certificate details page. The section provides information on the status, OCSP link, and CRL link. CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) are methods to check if a digital certificate has been revoked by a Certificate Authority (CA)

CRL (Certificate Revocation List): The CRL is a list of digital certificates that have been revoked by the Certificate Authority (CA) before their scheduled expiration. These lists help verify whether a certificate is still trustworthy. You can access CRLs through the URLs provided in the certificate itself, these are known as Certificate Revocation List Distribution Points (CDPs). The CRLs can be downloaded from known sources via HTTP, LDAP, or FTP, with HTTP being the most commonly used due to its reliability and offline accessibility.

OCSP (Online Certificate Status Protocol): OCSP is a real-time protocol used to check the revocation status of a certificate quickly and efficiently. Instead of downloading an entire list like with CRL, your system sends a direct query to an OCSP server (called a responder), which then replies with the certificate’s current status, valid, revoked, or unknown. It is lightweight, uses less bandwidth, and is ideal for real-time validation.

view new revocation section.

The Status field in the above image indicates the revocation status of a certificate and may display one of the following values.

  • Revoked: The certificate has been revoked and is no longer valid.
  • Not Revoked: The certificate is valid and has not been revoked.
  • Not Available: Revocation status could not be determined because CRL or OCSP links are missing.
  • Unknown: The status could not be identified due to internal issues or inaccessible CRL/OCSP links.
  • Scan Pending: A fresh scan is required to retrieve the revocation status. This value will be updated once the scan is completed.

Revocation status is updated every 24 hours. If a scan is launched within this interval, the revocation status will not be refreshed until the next update cycle.

New Token Support 

We have introduced a new token to get details of the certificate revocation status.

Token Tab Description

certificate:(revocationStatus:)

Certificates

Assets

Reports
(Reports > Create Report > Report Source > Search Query

Use any of the values from Not Available, Not Revoked, Revoked, Scan Pending, or Unknown to find certificates based on revocation status.

certificate:(revocationStatus: "Revoked"

 

Grade Update for Revoked Certificates

Certificates identified as revoked will now be assigned a grade of F.  The Summary section will not be available for the revoked certificates.

Cipher Strength Visibility for Report Customization

Cipher suites are groups of encryption methods used to protect communication between a client, like a web browser, and a server. When a digital certificate is involved in creating a secure connection, such as HTTPS, cipher suites decide how well the data is encrypted, verified, and sent.

A well-configured cipher suite:

  • Guarantees confidentiality (data remains unreadable to unauthorized users),
  • Ensures integrity (data remains unchanged during transmission),
  • Provides authentication (verifies the server's identity via its certificate).

Choosing the right cipher suites is crucial for preventing data leaks, avoiding security risks, complying with standards such as PCI DSS, NIST, or HIPAA.

Good Cipher suites indicate that they can still be considered secure and acceptable, but may use slightly older algorithms or configurations. It is suitable for compatibility without sacrificing security.

Weak Cipher suites indicate outdated or less secure algorithms. These are vulnerable to known attacks and should be phased out.

Insecure Cipher suites indicate that they can be broken or easily exploited. To prevent major security risks, these must be disabled immediately.

We have introduced five new column options that can be added to reports to view cipher strength. These additions provide enhanced visibility into protocol usage, cipher strength, and revocation status in your reporting. The details of the columns are:  

  • Identified Protocols
  • Cipher Suites Strength - Good
  • Cipher Suites Strength - Insecure 
  • Cipher Suites Strength - Weak 
  • Certificate Revocation Status

To create the report based on these new columns, navigate to Reports > Create Reports > Report Display.

View new columns added for displaying the report.

Here is a screenshot of the image from the report.

Viewing report.

New Tokens for Cipher Information

We have introduced new tokens to get details of the certificates based on Cipher information.

Token Tab Description
cipher:(category:)
  • Certificates
  • Assets
  • Reports
    (Reports > Create Report > Report Source > Search Query

Use any of the values from Good, Insecure, or Weak to find certificates based on the cipher category.

cipher:(category: "Insecure")

 
cipher:(name:)
  • Certificates
  • Assets
  • Reports
    (Reports > Create Report > Report Source > Search Query

Use this token to search certificates based on Cipher name.

cipher:(name: "TLS_AES_256_GCM_SHA384")

Unified Certificate Details Page Across Qualys Apps

The Certificate Details page has been revamped to provide a consistent experience across Qualys and all associated modules. A unified Certificate Details page facilitates a consistent experience across all Qualys apps and helps you understand certificate information more quickly, no matter which app you are using.

view certificate details.

API Features and Enhancements

We have introduced new versions of List CertView Certificates v1 and v2 APIs,

For more details, refer to Certificate View 4.5 API Release Notes.

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.