11.3.8.3. Procedure – Revoking a certificate

To revoke a certificate, complete the following steps.

1. Select the certificate to be revoked.

   

   Figure 11.20. Revoking certificates

2. For general certificates, click on Revoke either on the PKI management or the Certificates tab. CA certificates can be revoked from either the PKI management or the Trusted CAs tab.

   Note
   Only certificates signed by local CAs can be revoked. Self-signed CA certificates cannot be revoked.

3. Enter the password of the issuer CA. If the private key associated to the certificate is to be deleted as well, check the Archive CSR and private key checkbox. Click OK.

   

   Figure 11.21. Revoking the private key

   Tip
   If the private key of a certificate has been compromised, the private key should be revoked along with the certificate. Generally it is recommended to generate new keys each time a certificate is refreshed.

4. On the PKI management tab, the certificate will now appear in the Revocations list of its CA. On the Certificates tab, the dates of its validity will disappear, and the Parts section will indicate that only the CSR (r) and (if it has not been revoked) its private key (k) is available.

5. The CRL of the issuer CA is refreshed automatically.

6. The revocation will be effective on the PNS hosts only when their CRL information is updated from MS. If MS is not configured to perform distribution automatically (or the update should be made available immediately), it can be performed manually through the PKI/Distribute Certificates menu item.