Revoke an issued certificate

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To revoke an issued certificate

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Log on to the system as a Certification Authority Administrator or Certificate Manager.

  2. Open Certification Authority.

  3. In the console tree, click Issued Certificates

    Where?

    • Certification Authority (Computer)/CA name/Issued Certificates
  4. In the details pane, click the certificate you want to revoke.

  5. On the Action menu, point to All Tasks, and click Revoke Certificate.

  6. Select the reason for revoking the certificate and click Yes.

Notes

  • To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

  • The certificate is marked as revoked and is moved to the Revoked Certificates folder. The revoked certificate will appear on the certificate revocation list (CRL) the next time it is published.

  • Certificates revoked with the reason code "Certificate Hold" can be unrevoked, left on "Certificate Hold" until they expire, or have their revocation reason code changed. "Certificate Hold" is the only revocation reason that will allow you to unrevoke the certificate. It is useful if the status of the certificate is questionable and is meant to provide some flexibility to the CA administrator.

  • To unrevoke a certificate revoked with the reason code "Certificate Hold," at a command prompt on the CA, type:

    certutil -revoke CertificateSerialNumber unrevoke

  • To identify the certificate serial number, in the Revoked Certificates folder, in the details pane, double-click the revoked certificate, and then click the Details tab.

  • To change the reason code for a certificate previously revoked with the reason code "Certificate Hold," type the appropriate command at a command prompt on the CA.

    New reason code Command

    Unspecified

    certutil -revokeCertificateSerialNumber0

    Key Compromise

    certutil -revokeCertificateSerialNumber1

    CA Compromise

    certutil -revokeCertificateSerialNumber2

    Affiliation Changed

    certutil -revokeCertificateSerialNumber3

    Superseded

    certutil -revokeCertificateSerialNumber4

    Cessation of Operation

    certutil -revokeCertificateSerialNumber5

  • You can also unrevoke a certificate in the Certification Authority by right-clicking the certificate you want, clicking All Tasks, then clicking Unrevoke Certificate. This certificate must be revoked for the reason of "Certificate Hold".

Using a command line

  1. Open Command Prompt.

  2. Type:

    certutil -revoke SerialNumberReasonCode

Value Description

revoke

Specifies the revocation of an existing certificate.

SerialNumber

Specifies the serial number of the certificate for revocation.

ReasonCode

Specifies the reason code for this certificate revocation. For values, see Notes.

Notes

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • To view the complete syntax for this command, at a command prompt, type:

    certutil -revoke -?

  • The valid reason codes for certificate revocation are:

    Reason forrevoking a certificate Reason code

    Unspecified

    0

    Key Compromise

    1

    CA Compromise

    2

    Affiliation Changed

    3

    Superseded

    4

    Cessation of Operation

    5

    Certificate Hold

    6

  • Certificates that are revoked with the reason code "Certificate Hold" can be unrevoked, left on "Certificate Hold" until they expire, or have their revocation reason code changed. "Certificate Hold" is the only revocation reason that will allow you to unrevoke the certificate. It is useful if the status of the certificate is questionable and is meant to provide some flexibility to the CA administrator.

  • To unrevoke a certificate that is revoked with the reason code "Certificate Hold," at a command prompt on the CA, type:

    certutil -revoke CertificateSerialNumber unrevoke

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Working with MMC console files
Specify certificate revocation list distribution points in issued certificates
Certificate revocation
Schedule the publication of the certificate revocation list
Manually publish the certificate revocation list
View the certificate revocation list