Skip to content

Revoking certificates

Certificate revocation empowers administrators with the ability to efficiently manage the lifecycle of certificates issued through Microsoft Active Directory Certificate Services (Microsoft AD CS).

If you're an administrator with either the PKI Administrator or System Administrator roles, you can directly revoke any certificate in the Certificate Inventory that was issued by your Microsoft AD CS.

Best Practice

In the case of Microsoft AD CS, requests for revocation are typically completed immediately. Requests for revocation from public CAs are not always done so quickly. It's good to make sure you manage important revocation requests as soon as possible.

Features and benefits

  • Direct revocation request: Administrators can now initiate revocation requests via UI or API, specifically for Microsoft AD CS-issued certificates. This enables quicker security responses.
  • Detailed revocation reasoning: Allows specifying reasons for revocation, such as Key Compromise or Cessation of Operation, aiding in transparent certificate management.
  • Revocation status insights: A new status column in the Certificate Inventory provides immediate visibility into revocation outcomes, crucial for monitoring certificate integrity.
  • Enhanced security controls: Restricting revocation capabilities to administrators reinforces a secure certificate lifecycle management, ensuring only authorized alterations.

Requirements and compatibility

This feature is currently available to administrators within environments utilizing Microsoft AD CS. It is designed to enhance the security and management of certificates by providing an effective means to request revocations directly through the system's UI or API.

Next steps

To get started with certificate revocation, follow these steps.