Mark Bolton wrote:
Thanks for your reply, however a CRL will only help if we find out about it.
We want to prevent it from happening of course, but we want to remove the incentive as well. With a CRL, there is a window of opportunity between the time the cert is stolen and when the theft is discovered. How can we close that window?
You mean the private key and not the certificate, right? I'm afraid you can't. The security of public-key cryptography is based on the security of private keys.
Web browsers implement some DNS checks. Since you can spoof DNS, it's not something you can rely on.
In some cases it's also possible to implement some sort of IP-based access control. This is a pain to maintain and not really a bulletproof solution.
Best regards, Mike