Skip to content

Retiring, recovering, and deleting certificates

TLS Protect Cloud lets you retire certificates that are no longer in use. If you retire a certificate that you didn't mean to retire, there are recovery options available.

What does "retire" mean?

"Retire" refers to the act of moving a certificate from inventory to TLS Protect Cloud's virtual recycle bin. After being in the recycle bin for a specific number of days determined by the System Administrator, it will automatically be deleted.

A certificate in the retired state isn't monitored and cannot be associated with an application.

Setting the number of days for deletion

System Administrators can set the number of days that a certificate can be in the retired state before being deleted. Go to Policies > Certificate Lifecycle, and set the Days after retirement for certificates to be deleted forever value.

Permissions for retiring and recovering certificates

By default, administrators and Resource Owners are allowed to retire certificates (though Resource Owners have certain constraints). Administrators can disallow Resource Owners from retiring certificates by clicking Policies > Certificate Lifecycle in the menu bar. From there, expand the Certificate Retirement section and enable the Only admins can retire option.

Resource Owners can only retire certificates that are assigned to Applications they own. In order for Resource Owners to recover a retired certificate, the certificate must first be assigned to at least one application they own. These constraints do not apply to admin users.

Deleting certificates is available only to administrators.

To retire a certificate

  1. Sign in to Venafi Control Plane.

  2. Click Inventory > Certificates.

  3. Find the certificate that you want to retire. You can retire multiple certificates at the same time, if needed.

  4. Select the checkboxes next to the certificates you want to retire, then click Retire.

    screenshot showing the location of the checkbox and Retire button

  5. In Retire certificate, keep the checkbox selected if you do not want discovery to find the certificate again the next time it runs.

  6. Click Retire.

  7. To see your retired certificates, change the Inventory view to Retired certificates.

    Retired certificate in drop down list

To recover a retired certificate

  1. Click Inventory > Certificates.

  2. Change the view to Retired certificates.

    Drop-down list below Inventory contains Retired Certificates

  3. Find the certificate(s) you want to recover.

  4. Select the certificates to recover.

  5. Click Recover.

  6. (Optional) In Recover Certificate, if you want to assign the certificate to an application, type in the name of the application..

  7. In Recover Certificate, click Recover.

    The certificate is returned to inventory.

To delete a certificate

Administrators determine whether retired certificates are maintained in TLS Protect Cloud or whether they are automatically deleted after a configurable period of time. This default behavior is set clicking Settings > Platform, and then selecting Certificate Retirement.

At any time, Administrator users can open a retired certificate from the inventory and select Delete Forever.