Revoke a certificate

Revocation tells the Certificate Authority the cert is no longer trusted and should be published in CRL/OCSP as revoked. It is a one-way action — you cannot un-revoke, you can only issue a fresh cert. CertAutoPilot calls the issuer (ACME or MSCA), records the reason, emits the audit + notification events, and marks the cert as revoked.

01When to revoke

• Key compromise — the private key has been exposed (bucket leak, HSM incident, lost laptop). Use reason keyCompromise. Browsers honour this with CRLSets / OneCRL escalation.
• Ownership change — the domain is being transferred and the cert should not remain valid with the previous owner.
• Decommission — the app is going away; you want to make the cert inert in case it leaks.
• Subject problem — wrong identifiers, wrong organization details. Use cessationOfOperation or affiliationChanged.
• Superseded — you reissued with different parameters and want the old cert withdrawn.

02Prerequisites

• Operator role or higher on the project.
• An approval workflow may gate revocation; if so, you get a "request approval" dialog instead of direct revoke.
• For ACME certs the associated account key must still be loaded — it is used to sign the revocation request. Deleting the account before revoking its certs makes revocation impossible from CertAutoPilot.

03Revoke

1. Go to the certificate detail page.
2. Click Revoke (top-right actions). The button is disabled if the cert is already expired, already revoked, or if the approval workflow requires a different role.
3. Pick a reason:
   • unspecified (0) — default, no strong signal.
   • keyCompromise (1) — strong signal; browsers treat this as severe.
   • affiliationChanged (3) — org restructure.
   • superseded (4) — replaced by a new cert.
   • cessationOfOperation (5) — app/domain shutting down.
   • privilegeWithdrawn (9).
   • Others per RFC 5280.
   MSCA accepts the same reason codes.
4. Optional note — free text stored on the audit record.
5. Click Confirm. A revoke_certificate (or msca_revoke) job enqueues.

04What happens

1. The worker loads the cert + private key + account.
2. It signs a revocation request using the account key (ACME) or authenticates over CES (MSCA).
3. The CA returns success; the cert state flips to revoked.
4. A cert.revoked event is written to the timeline and notification rules fire.
5. Active distributions are NOT automatically rolled back. If the cert is live on an HTTPS endpoint, that endpoint still presents it — you must distribute a replacement cert or explicitly rollback the distribution.

05Verify

• Detail page shows status: revoked and the reason.
• Timeline has a cert.revoked event with actor, reason, and note.
• Third-party check (several minutes post-revocation):

  openssl ocsp -issuer chain.pem -cert cert.pem \
    -url $(openssl x509 -in cert.pem -ocsp_uri -noout)

  Expected: Cert Status: revoked.

06Troubleshooting

"account key not loaded"

The ACME account was deleted from CertAutoPilot before its certs were revoked. Recreate an account on the same CA and attach it to the cert (Settings → ACME accounts → the new one), then try again. Some CAs also accept revocation by presenting the cert's own private key without the account — this path is not currently wired in the UI but is doable via the API.

"already revoked"

The CA says it is already revoked but CertAutoPilot thinks it is active. Happens if someone revoked via the CA portal directly. Click Refresh from CA on the detail page to sync status.

Revoke button is disabled with "requires approval"

Approval workflow policy is on for this action. Click Request approval instead — an approver with the right role will see it in /my-requests.