POST Certificates Revoke

The POST /Certificates/Revoke method is used to revoke one or more certificates with the specified ID(s). This method returns HTTP 200 OK on a success with a list of the successfully revoked certificate IDs on a success or a list of the failed certificate IDs if any revocations fail.

Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:
/certificates/collections/revoke/
OR
/certificates/collections/revoke/#/ (where # is a reference to a specific certificate collection ID—see CollectionID, below)
OR
/certificate_stores/revoke/
OR
/certificate_stores/revoke/#/ (where # is a reference to a specific certificate store container ID—see ContainerID, below)

Permissions for certificates can be configured at multiple levels. You can apply them system-wide—for all certificates or all certificate stores—or use fine-grained control by assigning permissions at the certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). or certificate store container level. The appropriate level depends on how the certificates are accessed. See Certificate Collection Permissions and Container Permissions for more information about system-wide versus more targeted permission models.

Table 311: POST Certificates Revoke Input Parameters

Name In Description
CertificateIDs Body Required. An array of integers containing the list of Keyfactor Command reference IDs for certificates that should be revoked.
Reason Body

An integer containing the specific reason that the certificate is being revoked. ClosedShow revocation reasons.

The default is Unspecified.

Comment Body Required. A string containing a freeform reason or comment on why the certificate is being revoked.
EffectiveDate Body A string containing the date and time when the certificate will be revoked. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g., 2023-11-19T16:23:01Z). The default is the current date and time.
CollectionId Body

An optional integer that specifies the certificate collection (CollectionId) to validate whether the user has sufficient permissions to perform the action. If a CollectionId is not provided, the user must have appropriate permissions granted system-wide or via certificate store containers.

Providing a CollectionId allows the system to check the user's permissions at the certificate collection level. Permissions are evaluated in the following order:

  1. System-wide certificate permissions
  2. Granular certificate permissions

Use either ContainerId or CollectionId, not both. If both are specified, CollectionId takes precedence, and the ContainerId is ignored (defaults to 0).

See Certificate Collection Permissions for more information.

ContainerId Body

An optional integer that specifies the certificate store container (ContainerId) to validate whether the user has sufficient permissions to perform the action. If a ContainerId is not provided, the user must have appropriate permissions granted system-wide or via certificate collections.

Providing a ContainerId allows the system to check the user's permissions at the container level. Permissions are evaluated in the following order:

  1. System-wide certificate permissions
  2. System-wide certificate store container permissions
  3. Granular certificate store container permissions

Use either ContainerId or CollectionId, not both. If both are specified, CollectionId takes precedence, and the ContainerId is ignored (defaults to 0).

See Container Permissions for more information.

PublishCRL Body A Boolean indicating whether a new CRL should be published following revocation (true) or not (false). The default is true.
Tip:  See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon () at the top of the Management Portal page next to the Log Out button.