11.3.8.3. Procedure – Revoking a certificate

To revoke a certificate, complete the following steps.

  1. Select the certificate to be revoked.

    Note, that it is possible to multi-select a number of certificates for the Revoke activity. However, if the certificate has no Issuer, the Revoke button will not be active.

    Note

    It is possible to multi-select a number of certificates for the Revoke activity. However, if the Issuer of the selected certificates is not the same, the Revoke button will not be active.

    Note

    Note that if the certificate(s) selected for Revoke is in use in the current configuration, a warning will be displayed to inform the administrator. It is important that in case a certificate is in use, it cannot be revoked. If the certificate in use is part of a multiple selection of certificates for the Revoke activity, none of the selected certificates will be revoked.

    Revoking certificates

    Figure 11.22. Revoking certificates

  2. For general certificates, click on Revoke either on the PKI management or the Certificates tab. CA certificates can be revoked from either the PKI management or the Trusted CAs tab.

    Note

    Only certificates signed by local CAs can be revoked.

    Self-signed CA certificates cannot be revoked.

  3. Enter the password of the issuer CA. If the private key associated to the certificate is to be revoked as well, check the Archive CSR and private key checkbox. Click OK.

    Revoking the private key

    Figure 11.23. Revoking the private key

    Tip

    If the private key of a certificate has been compromised, the private key should be revoked along with the certificate. Generally it is recommended to generate new keys each time a certificate is refreshed.

  4. Following the Revoke of the certificate, the certificate will disappear from the lists of certificates on the Certificates tab, and will only appear on the PKI management tab, in the Revocations list of its CA.

  5. The CRL of the issuer CA is refreshed automatically.

  6. The revocation will be effective on the PNS hosts only when their CRL information is updated from MS. If MS is not configured to perform distribution automatically (or the update should be made available immediately), it can be performed manually through the PKI/Distribute Certificates menu item.