Revoking an issued certificate

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

When a certificate is revoked, its serial number is placed on the revocation list. Entities that check the revocation of a certificate then consider it to be no longer valid.

Required permissions

To revoke a certificate, the executing user needs the "Issue and Manage Certificates" permission on the certificate authority that issued the certificate.

Required information

The following information is required to revoke a certificate:

  • Serial number of the certificate
  • Reason for the closure

The serial number can be determined, among other things, via the "Details" tab of a certificate.

The following are possible reasons for revocation:

CodeDesignationDescription
0UnspecifiedThis is the default setting and indicates that there is no specific reason for the revocation.
1Key CompromiseThe private key of a certificate was stolen or otherwise known to unauthorized third parties.
2CA CompromiseThe private key of the certification authority was stolen or otherwise known to unauthorized third parties.
3Affiliation ChangedIf the content of the certificate (e.g. the name of the user) has changed, a new certificate must be issued.
4SupersededThe revoked certificate was replaced with a new certificate.
5Cessation of OperationThe operation of the service belonging to the certificate was discontinued, for example, because there is a new service under a different name.
6Certificate HoldThe certificate is revoked temporarily. This revocation type is the only one where the revocation can be subsequently undone.
8Remove from CRLIf a certificate was revoked with reason "Certificate Hold" and delta revocation lists are used, the revoked certificate is kept in the delta revocation list with this code until the entry in the main revocation list is removed.
-1UnrevokeIf a certificate has been revoked with reason "Certificate Hold", this code can be used to unblock it via command line. Likewise, in the auditEvent 4870 the undoing of a certificate revocation is marked with this code.

Only revocation reason number 6 (Certificate Hold) makes it possible to remove a certificate from the revocation list again later.

Details: Revoking an issued certificate via the command line

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Revocation of a certificate can be done with the following command line command.

certutil -revoke {serial number} {reason code}

The command can be executed directly on the certificate authority as listed above. For an Active Directory integrated certificate authority, it can also be executed by another domain member if the -config switch is included with the config string (Servername\Common-Name) as an argument.

Details: Revoking an issued certificate via the graphical user interface

In the certificate authority management console (certsrv.msc), the certificate to be revoked is first identified. Then right-click on the database entry and select "All Tasks" - "Revoke Certificate".

In the following dialog, the reason for the revocation is specified. Optionally, a date can be specified as of which the certificate is to be revoked. Thus, a scheduled revocation can already be realized in advance.

Publish a new certificate revocation list

The certificate is initially only marked as revoked in the certification authority database. It will be entered on the certificate revocation list the next time it is published.

The certificate revocation list is published automatically by the certification authority. As a rule, it is not necessary to publish new certificate revocation lists on an unscheduled basis. If desired, the procedure for publishing a certificate revocation list is described in the article "Create and publish a certificate revocation list" described.

Please note that it cannot be guaranteed that a certificate revocation will be recognized directly by all participants, since client-side Locking information is stored temporarily can.

Please note that expired certificates (with the exception of code signing certificates) be removed from the blacklist again.

Related links:

en_USEnglish