Certificate Revocation¶
Certificate revocation is the process of permanently invalidating a certificate before its natural expiry date. When a certificate is revoked, it should no longer be trusted by any system that consumes it — even if it remains technically within its validity period.
The Zaita platform supports revocation for certificates managed through the platform, routing revocation requests to the appropriate back-end based on which provider issued the certificate.
Why Revocation Matters¶
Certificates represent proof of identity and authorisation. If the circumstances that justified issuing a certificate change — the private key is compromised, the organisation changes structure, or the service is decommissioned — continuing to trust that certificate creates a security risk.
Common scenarios that require revocation:
- Key compromise — the certificate's private key has been exposed or is suspected to have been accessed by an unauthorised party.
- Service decommissioning — the service or domain the certificate was issued for no longer exists or is no longer operated by your organisation.
- Certificate superseded — the certificate has been replaced by a new issuance, and the old one should be invalidated to reduce the number of active certificates.
- Organisational change — an employee or team no longer has a relationship with the organisation that justified issuance.
How Revocation Works¶
When you revoke a certificate through the platform, the request is dispatched to the Back Control Plane (BCP), which processes the revocation against the CA that issued the certificate:
| Provider | Revocation mechanism |
|---|---|
| Zaita Local PKI | The BCP marks the certificate revoked in its internal store and updates the certificate's CRL entry. |
| DigiCert | The BCP calls the DigiCert CertCentral API to revoke the order. |
| GlobalSign | The BCP calls the GlobalSign Atlas API to delete/revoke the certificate. |
| ACME | Not yet implemented. Revocation must be performed directly through the ACME CA. |
After the BCP processes the revocation, the platform immediately updates the certificate's status to revoked in the inventory.
Revocation Is Permanent¶
Revocation cannot be undone through the platform. Once a certificate's status is set to revoked, it cannot be restored to active. If the service needs a valid certificate, a new certificate must be requested.
Revocation Reasons¶
When revoking a certificate, you can optionally specify a reason code. Reason codes follow the standard X.509 CRLReason enumeration:
| Reason | When to use |
|---|---|
keyCompromise |
The private key has been or is suspected to have been compromised. Use this for urgent revocations. |
cACompromise |
The CA that issued this certificate has been compromised. |
affiliationChanged |
The subject's relationship to the issuing organisation has changed (for example, an employee who has left). |
superseded |
The certificate is being replaced by a newer certificate. |
cessationOfOperation |
The service or entity this certificate was issued for is no longer operating. |
unspecified |
No specific reason. Use when none of the above apply. |
Providing a reason is optional but recommended. The reason is stored in the certificate record and included in audit logs.
Scope of Revocation¶
Revoking a certificate through the platform revokes that specific certificate. It does not:
- Revoke other certificates issued to the same domain.
- Remove the certificate from servers where it is currently deployed.
- Automatically issue a replacement certificate.
You are responsible for replacing the certificate on any systems where it is deployed after revocation.
Next Steps¶
- Setting up Certificate Revocation — step-by-step guide to revoking a certificate.
- Managing Revoked Certificates — viewing revocation history and filtering the inventory.
- Best Practices for Certificate Revocation — guidance on when and how to revoke effectively.