The traditional mechanisms for revoking compromised TLS/SSL certifications--cert revocation lists (CRLs) and Online Certificate Status Protocol (OCSP)--don’t really work. But something can be done about this, in the form of “OCSP Must Staple”. Also the issue of rogue certifications--certs issued for your domain without your knowledge or permission--can be mitigated with Certificate Transparency (CT), where the issuing Certificate Authorities (CAs) publish all the certs they have given out, to allow crosschecks. There is also Certificate Authority Authorization (CAA), where the DNS entry for your domain specifies which CA(s) are allowed to issue certs for it. <https://arstechnica.com/security/2017/07/https-certificate-revocation-is-broken-and-its-time-for-some-new-tools/>