About revoking certificates manually

You can manually revoke certificates that are managed at the Monitoring, Enrollment, or Provisioning level of certificate management.

Manual revocation is supported by all CA drivers with the exception of the Self-Signed CA because revocation is only applicable to CA-signed certificates.

Revocation is generally limited to those certificates that were enrolled by Trust Protection Platform and those that belong to you and that were issued through your CA accounts.

When you revoke a certificate, Trust Protection Platform attempts to locate the corresponding certificate authority (CA) template object. If there is a CA template object which has a root or intermediate root which has the same name as the Issuer of the certificate being revoked, Trust Protection Platform attempts to revoke the certificate using that CA.

If more than one match is found, it attempts to use the first one located. If the issuer of the certificate is not found on any CA template object, it then attempts to revoke the certificate using the current CA configured on the certificate object.

To revoke a certificate dynamically, you must manually add intermediate or root certificates that issued your certificates to the corresponding CA template object.

If the Issuer of the certificate isn't known, Trust Protection Platform begins with the known CA and revokes the certificate based on the CA, not the Issuer.

The Revoke option is available in the certificate object’s Summary and History pages. From the Certificate Summary page, you can revoke the most recent version of the certificate.

Revoke Option in the Certificate Summary Page

The Revoke option in the Certificate History page allows you to revoke previous versions of the current certificate that have not yet expired or been revoked.

For example, if you renew a certificate several months before it expires, you could provision the certificate on all of its associated servers then, after ensuring everything is functioning properly, you could revoke the previous, valid versions of the certificate in the Certificate History tab.

The History tab indicates the certificate(s) for which Trust Protection Platform has submitted a revocation request.

Revoke Option on the History page

When you revoke a certificate, Trust Protection Platform submits a revocation request to the certificate CA. If you select the Revoke and Disable option, Trust Protection Platform submits a revocation request to the certificate CA, and then disables the certificate so that no further processing can occur.

To safeguard your system against unauthorized certificate revocations, you can configure a workflow to require approval for certificate revocations. Certificate revocations are assigned to stage 1400 of the certificate lifecycle, so you must configure the workflow to trigger on stage 1400. To implement the workflow, you must then apply the workflow in the appropriate folder. For more information on configuring and implementing Workflow objects, see Workflow management.

When Trust Protection Platform processes a certificate revocation request, the revocation status appears in the Certificate Summary or History pages. Additionally, Trust Protection Platform logs the following events:

Certificate Revocation Events

Action	Event
Request	The request to revoke certificate_DN has been submitted to the CA.
Success	The request to revoke certificate_DN has succeeded.
Fail	The request to revoke certificate_DN has failed.

The initial Revocation Request event can be viewed in the Certificate object’s event log. The subsequent Success or Failure events can be viewed in the certificate’s associated CA template object’s event log.

For more information on object event logs, see Log events.

To facilitate management of revocation events, you can also create Notification objects to provide notifications of certificate revocation events.

For more information on configuring event notification, see About certificate notification and logging.