Revoke a Certificate

When you initiate revocation of a certificate using an ACME client such as Cerbot and the Keyfactor ACME server, the certificate revocation is requested via the Keyfactor ACME revoke APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server. and validated with your Certbot account and the certificate information stored in the Keyfactor ACME database. A regular revocation request is then issued in Keyfactor Command.

Certificate revocation in this manner requires that:

  • The Certificate Revocation Enabled application setting is set to true (see Settings).

  • The user configured to authenticate Keyfactor ACME to Keyfactor Command has permissions to revoke certificates in Keyfactor Command (see Identify Users and Groups).

  • The user making the revocation request has EnrollmentUser permissions in Keyfactor ACME (see Access Control and Claims).

Certbot has multiple parameters to specify differing options. The parameterClosed A parameter or argument is a value that is passed into a function in an application. values you will need to make a simple revocation request to your Keyfactor ACME server are shown in Table 42: Revoke Certificate Parameters.

Table 42: Revoke Certificate Parameters

Parameter Description
--cert-name

Specify the name of the certificate to revoke. This is the domain name referenced by the -d switch on certificate enrollment.

Either --cert-name or --cert-path and --key-path should be used.
--cert-path

The path to the certificate file on the Certbot client machine. For example:

/etc/letsencrypt/live/appsrvr162.keyexample.com/cert.pem

This parameter is used in conjunction with --key-path.

Either --cert-name or --cert-path and --key-path should be used.
--key-path

The path to the certificate private key file on the Certbot client machine. For example:

/etc/letsencrypt/live/appsrvr162.keyexample.com/privkey.pem

This parameter is used in conjunction with --cert-path.

Either --cert-name or --cert-path and --key-path should be used.
--reason

Specify the revocation reason to submit with the request. Certbot supports:

  • unspecified

  • keyCompromise

  • affiliationChanged

  • superseded

  • cessationOfOperation
--server

The URL of the Keyfactor ACME server / the virtual directory specified in the Keyfactor ACME configuration. For example:

https://acmesrvr93.keyexample.com/ACME
REQUESTS_ CA_ BUNDLE= /etc/ssl /certs /ca-certificates.crt

Specify the location of the trusted root certificate on the Linux server by providing the environment variable before Certbot requests.

Note:  The file provided should be the one created by running update-ca-certificates using your CA chain certificates.

Example using --cert-name:

Copy 
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt certbot revoke --server https://acme93.keyexample.com/ACME --reason superseded --cert-name appsrvr162.keyexample.com

Example using --cert-path and --key-path:

Copy 
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt certbot revoke --server https://acme93.keyexample.com/ACME --reason keyCompromise --cert-path /etc/letsencrypt/live/appsrvr27.keyexample.com/cert.pem --key-path /etc/letsencrypt/live/appsrvr27.keyexample.com/privkey.pem