Cryptographic certificates are a powerful tool for building security-concerned applications where the participants must be authenticated in order to access some resources or commit a transaction. These applications include, for instance, secure distributed systems, electronic commerce and code signing, etc. However, due to various reasons, the validity of such certificates can change over time, introducing the risk of an invalid certificate being used to authenticate an entity. Various methods of mitigating this risk have been devised, known broadly as ``certificate revocation'' schemes. The examination of these schemes shows that they are suffering from scalability and/or tunability problems. Though it is commonly agreed that no scheme fits for all, we argue that a scalable and fully tunable certificate revocation scheme is able to support the majority of security-concerned applications, if not all. In this talk, we will present our router-aided certificate revocation scheme that provides scalability and full tunability. Three strategies are deployed to help achieve scalability and tunability: caching on strategic routers, request-triggered revocation update and consistent management of the certificates. Our scheme utilizes existing network resource (router) and is compatible with the prevalent X.509 standard.