Setting Up Certificate Revocation¶
This guide walks through the process of revoking a certificate in the Zaita platform. For background on how revocation works and which providers are supported, see Certificate Revocation — Introduction.
Prerequisites¶
- You must be signed in with a role that has permission to manage certificates for the domain covered by the certificate.
- Users are restricted to domains they have been granted access to. A user without permission for the certificate's domain cannot revoke it.
- The certificate must have a status of
activeorexpired. Certificates that are alreadyrevokedcannot be revoked again.
Revoking a Certificate¶
Step 1 — Open the Certificate¶
- Navigate to CLM → Certificates.
- Locate the certificate you want to revoke. Use the search or filter controls if needed.
- Select the certificate to open its detail page.
Step 2 — Open the Revocation Dialog¶
On the certificate detail page, select Revoke Certificate.
A confirmation dialog opens displaying:
- The certificate's Common Name and UUID, so you can confirm you have selected the correct certificate.
- A randomly generated six-digit confirmation code.
The confirmation code is generated fresh each time the dialog is opened. It is not stored and is not reusable.
Step 3 — Enter the Confirmation Code¶
Type the six-digit code shown in the dialog into the confirmation field. This step is required to prevent accidental revocation.
Optionally, select a Revocation Reason from the dropdown:
| Reason | Description |
|---|---|
keyCompromise |
The private key has been or is suspected to have been compromised. |
cACompromise |
The CA that issued this certificate has been compromised. |
affiliationChanged |
The subject's relationship to the issuing organisation has changed. |
superseded |
The certificate is being replaced by a new certificate. |
cessationOfOperation |
The service this certificate was issued for is no longer operating. |
unspecified |
No specific reason. |
If no reason is selected, the revocation is recorded without a reason code.
Step 4 — Confirm¶
Select Confirm Revoke to submit the revocation.
The platform:
- Verifies your authorisation for the certificate's domain.
- Sends the revocation request to the Back Control Plane (BCP).
- The BCP dispatches the revocation to the issuing CA.
- The certificate status is immediately updated to
revokedin the inventory. - The revocation reason (if provided) is stored on the certificate record.
A success notification is shown when revocation completes. The certificate detail page updates to reflect the revoked status.
Error Cases¶
| Error | Cause | Resolution |
|---|---|---|
| "Certificate is already revoked." | The certificate's status is already revoked. |
No action needed — certificate is already invalid. |
| "You are not authorised to revoke this certificate." | Your account does not have permission for this certificate's domain. | Contact an administrator to adjust domain permissions. |
| "Confirmation code does not match." | The code entered does not match the generated code. | Re-enter the six-digit code shown in the dialog exactly. |
| "Certificate not found on back control plane." | The BCP does not have a record for this certificate. | Contact support. This may indicate a synchronisation issue. |
| "Failed to revoke certificate: ..." | The BCP or external CA returned an error. | The error message will include details. Check the audit log for the full error context. |
ACME Certificates¶
Revocation of certificates issued via the ACME provider is not yet implemented in the platform. To revoke an ACME-issued certificate:
- Use your ACME client (for example, Certbot or acme.sh) to submit a revocation request directly to the ACME CA.
- Once revoked externally, update the certificate's status in the platform inventory to reflect the revocation, or allow the discovery process to detect the change.
After Revocation¶
Revoking a certificate through the platform does not automatically:
- Remove the certificate from servers where it is deployed.
- Issue a replacement certificate.
- Notify systems that depend on the certificate.
After revocation, you should:
- Deploy a replacement certificate to any affected services.
- Verify the old certificate is no longer presented by any hosts. Use a Discovery Job to confirm.
- If the revocation was due to key compromise, generate a new key pair for the replacement certificate — do not reuse the compromised key.
Next Steps¶
- Managing Revoked Certificates — filter the inventory for revoked certificates and review revocation history.
- Best Practices for Certificate Revocation — guidance on incident response, timing, and post-revocation hygiene.