Skip to content

Revoking certificates

If you're an administrator with either the PKI Administrator or System Administrator roles, you can directly revoke certificates you've issued, for supported CAs.

TLS Protect Cloud currently supports revocation for the following CAs:

  • Microsoft AD CS
  • Venafi Zero Touch PKI

Before you begin

  • Make sure that you have either the PKI Administrator or System Administrator roles assigned to your TLS Protect Cloud account.

  • If you're using Microsoft AD CS, upgrade your VSatellite Worker. Run the following PowerShell script on your VSatellite Worker:

    Invoke-WebRequest -OutFile vsatworkerctl.exe -Uri https://dl.venafi.cloud/vsatworkerctl.exe; .\vsatworkerctl.exe upgrade --port 8085

    NOTE

    If you didn't use the default port 8085, be sure to specify the correct port before running the script.

To revoke a certificate

  1. Sign in to TLS Protect Cloud.

  2. Click Inventory > Certificates.

    Make sure that you are viewing the Certificates - Next Gen view of the inventory. Learn more

  3. Locate the certificate you want to revoke and select it.

  4. Click Revoke.

  5. (Conditional) Select a certificate authority account.

    If the certificate was issued using TLS Protect Cloud, the correct CA account is selected for you automatically.

    If the certificate was issued outside TLS Protect Cloud (meaning it was added to the certificate inventory by one of the discovery import methods), make sure you select the correct CA account, as only the CA account that issued the certificate can revoke it.

  6. Click Revocation Reason and select the most appropriate reason for revoking the certificate:

    • Superseded: The certificate has been replaced with a newer one. TLS Protect Cloud defaults to Superseded.
    • Affiliation Changed: The person or organization using the certificate no longer has the same role or relationship with the issuer.
    • Cessation of Operation: The services or operations the certificate was used for have ended.
    • Key Compromise: The private key associated with the certificate is potentially or actually exposed to unauthorized parties.
    • Unspecified: A specific reason for revocation isn't given or is not applicable.

  7. (Optional) In the Comment box, type any relevant information that can be used later to help identify circumstances surrounding the revocation.

  8. Select You are about to revoke this certificate... to confirm your choice, and then click Revoke.

When the certificate revocation request has been accepted by the CA, a confirmation message appears on the screen.