Skip to content

Revoking certificates

If you're an administrator with either the PKI Administrator or System Administrator roles, you can directly revoke certificates you've issued, for supported CAs.

Certificate Manager - SaaS currently supports revocation for the following CAs:

  • Microsoft AD CS
  • Venafi Zero Touch PKI
  • DigiCert
  • ACMEv2

Before you begin

  • Make sure that you have either the PKI Administrator or System Administrator roles assigned to your Certificate Manager - SaaS account.
  • (Conditional) If you're using Microsoft AD CS, upgrade your VSatellite Worker. Run the following PowerShell script on your VSatellite Worker:

    Invoke-WebRequest -OutFile vsatworkerctl.exe -Uri https://dl.venafi.cloud/vsatworkerctl.exe; .\vsatworkerctl.exe upgrade --port 8085
    

    NOTE

    If you didn't use the default port 8085, be sure to specify the correct port before running the script.

To revoke a certificate

  1. Sign in to Venafi Control Plane.
  2. Click Inventory > Certificates.
  3. Locate the certificate you want to revoke and select it.
  4. Click Revoke.
  5. (Conditional) Select a certificate authority account.

    If the certificate was issued using Certificate Manager - SaaS, the correct CA account is selected for you automatically.

    If the certificate was issued outside Certificate Manager - SaaS (meaning it was added to the certificate inventory by one of the discovery import methods), make sure you select the correct CA account, as only the CA account that issued the certificate can revoke it.

  6. Click Revocation Reason and select the most appropriate reason for revoking the certificate. The recocation reasons are specified by RFC 5280 5.3.1. The reasons allowed by Certificate Manager - SaaS are:

    • Superseded: The certificate has been replaced with a newer one. Certificate Manager - SaaS defaults to Superseded.
    • Affiliation Changed: The person or organization using the certificate no longer has the same role or relationship with the issuer.
    • Cessation of Operation: The services or operations the certificate was used for have ended.
    • Key Compromise: The private key associated with the certificate is potentially or actually exposed to unauthorized parties.
    • Unspecified: A specific reason for revocation isn't given or is not applicable.
  7. (Optional) In the Comment box, type any relevant information that can be used later to help identify circumstances surrounding the revocation.

  8. Select You are about to revoke this certificate... to confirm your choice, and then click Revoke.

The certificate revocation request will be processed by the Revocation Workflow, and if approved, the revocation will be sent to the CA.

Once the certificate revocation request has been approved, the requestor will receive a confirmation e-mail, and the revocation request will be submitted to the CA.