4.4. Revoking Certificates

Only Certificate Manager agents can revoke certificates other than their own. A certificate must be revoked if one of the following situations occurs:
  • The owner of the certificate has changed status and no longer has the right to use the certificate.
  • The private key of a certificate owner has been compromised.
These two reasons are not the only ones why a certificate would need revoked; there are six reasons available for revoking a certificate.
To revoke one or more certificates, search for the certificates to revoke using the Revoke Certificates button. While the search is similar to the one through the Search for Certificates form, the Search Results form returned by this search offers the option of revoking one or all of the returned certificates.

4.4.1. Revoking Certificates

  1. Open the Certificate Manager agent services page.
  2. Click Revoke Certificates.

    NOTE

    The search form that appears has the same search criteria sections as the Search for Certificates form.
  3. Specify the search criteria by selecting the check boxes for the sections and filling in the required information.
  4. Scroll to the bottom of the form, and set the number of matching certificates to display.
  5. Click Find.
  6. The search returns a list of matching certificates. It is possible to revoke one or all certificates in the list.

    TIP

    If the search criteria are very specific and all of the certificates returned are to be revoked, then click the Revoke ALL # Certificates button at the bottom of the page. The number shown on the button is the total number of certificates returned by the search. This is usually a larger number than the number of certificates displayed on the current page.
    Verify that all of the certificates returned by the search should be revoked, not only those displayed on the current page.
  7. Click the Revoke button next to the certificate to be revoked.

    CAUTION

    Whether revoking a single certificate or a list of certificates, be extremely careful that the correct certificate has been selected or that the list contains only certificates which should be revoked. Once a revocation operation has been confirmed, there is no way to undo it.
  8. Select an invalidity date. The invalidity date is the date which it is known or suspected that the user's private key was compromised or that the certificate became invalid. A set of drop down lists allows the agent to select the correct invalidity date.
  9. Select a reason for the revocation.
    • Key compromised
    • CA key compromised
    • Affiliation changed
    • Certificate superseded
    • Cessation of operation
    • Certificate is on hold
  10. Enter any additional comment. The comment is included in the revocation request.
When the revocation request is submitted, it is automatically approved, and the certificate is revoked. Revocation requests are viewed by listing requests with a status of Completed; see Section 3.2, “Listing Certificate Requests” for more information.

4.4.2. Taking Ceritificates Off Hold

There can be instances when a certificate is inaccessible, and therefore should be treated as revoked, but that certificate can be recovered. For example, a user may have a personal email certificate stored on a flash drive which he accidentally leaves at home. The certificate is not compromised, but it should be temporarily suspended.
That certificate can be temporarily revoked by putting it on hold (one of the options given when revoking a certificate, as in Section 4.4.1, “Revoking Certificates”). At a later time — such as when the forgotten flash drive is picked up — that certificate can be taken off hold and is again active.
  1. Search for the on hold certificate, as in Section 4.2, “Searching for Certificates (Advanced)”. Scroll to the Revocation Information section, and set the Certificate is on hold revocation reason as the search criterion.
  2. In the results list, click the Off Hold button by the certificate to take off hold.