Skip to content

Managing Revoked Certificates

Revoked certificates remain in the certificate inventory with their status updated to revoked. This page covers how to view and filter revoked certificates, understand the information recorded at revocation time, and use revocation data in audit and compliance workflows.

Viewing Revoked Certificates

Navigate to CLM → Certificates. The inventory includes all certificates regardless of status.

To view only revoked certificates, filter by status: revoked. The filtered view shows all certificates that have been revoked through the platform, including the revocation reason if one was provided.

Certificate Status After Revocation

A revoked certificate's detail page shows:

Field Value
Status revoked
Revocation Reason The reason code provided at revocation time, or blank if no reason was given.
All other fields Retained as-is — the certificate record is not deleted.

The certificate PEM, validity dates, issuer, algorithm, and all subject fields remain visible after revocation. This allows you to refer back to the certificate's details when investigating an incident or auditing past issuances.

Revocation and Discovery

If a revoked certificate is still deployed on a host and is picked up by a Bridge-based Discovery Job, the discovery scan will update the last_seen_at timestamp on the certificate record. The revoked status set by the platform is not overwritten by a discovery update.

Use this behaviour to detect certificates that have been revoked in the platform but are still being served — a last_seen_at that is recent on a revoked certificate indicates the certificate has not been removed from the host.

Audit Events

All revocation actions are recorded in the audit log, accessible under Admin → Audit Log:

Event When
certificate.revoke.requested The revocation dialog was opened for a certificate.
certificate.revoke.dispatched The revocation request was sent to the Back Control Plane. Includes the job_id returned by the BCP.
certificate.revoke.success The certificate status was updated to revoked in the inventory.
certificate.revoke.failed The BCP or external CA returned an error. Includes the error message.
certificate.revoke.unauthorized A revocation was attempted by a user without permission for the certificate's domain.
certificate.revoke.already_revoked A revocation was attempted on a certificate that was already revoked.

Each audit entry records the certificate ID, Common Name, UUID, the acting user, and the revocation reason (if provided). Use these entries to reconstruct the timeline of a revocation event.

Revocation in Reports

The platform's reporting system includes a dedicated Revoked Certificates report under the Certificate Lifecycle category. This report lists all certificates revoked within a selected time window, with columns for Common Name, issuer, revocation date, and revocation reason.

Use this report for:

  • Compliance reviews — demonstrate that compromised or expired-in-use certificates were properly revoked.
  • Incident post-mortems — review the scope of a key compromise event.
  • Periodic hygiene audits — confirm that superseded certificates were correctly revoked when replaced.

See Available Reports for the full report specification.

Replacing a Revoked Certificate

Revoking a certificate does not issue a replacement automatically. After revocation:

  1. Navigate to CLM → Certificates → Request New Certificate and follow the provisioning workflow to issue a replacement.
  2. Deploy the replacement certificate to all affected hosts.
  3. Run a Discovery Job to confirm the old revoked certificate is no longer being served.

If the revocation was due to key compromise, generate a fresh key pair for the replacement. Do not reuse the private key associated with the revoked certificate.

Next Steps