Certificates can be revoked for a variety of reasons, including:

  • The key has been compromised.

  • The certification authority (CA) that issued the certificate has been compromised.

  • The certificate is no longer valid for the intended purpose or has been superseded by another certificate.

  • The client no longer qualifies for the certificate.

You must be a CA administrator or certificate manager to complete this procedure. For more information, see Implement Role-Based Administration.

To revoke a certificate
  1. Open the Certification Authority snap-in.

  2. In the console tree, click Issued Certificates.

  3. In the details pane, click the certificate you want to revoke.

  4. On the Action menu, point to All Tasks, and click Revoke Certificate.

  5. Select the reason for revoking the certificate, adjust the time of the revocation, if necessary, and then click Yes.

The following reason codes are available:

  • Unspecified

  • Key Compromise

  • CA Compromise

  • Change of Affiliation

  • Superseded

  • Cease of Operation

  • Certificate Hold

If you specify "Certificate Hold" as the reason for revoking the certificate, it typically means that you may want to unrevoke the certificate at a future time. Only certificates that have been revoked with the reason of "Certificate Hold" can be unrevoked.

You must be a CA administrator or certificate manager to complete this procedure. For more information, see Implement Role-Based Administration.

To unrevoke a certificate
  1. Open the Certification Authority snap-in.

  2. In the console tree, click Revoked Certificates.

  3. In the details pane, click the certificate you want to unrevoke.

  4. On the Action menu, point to All Tasks, and click Unrevoke Certificate.

  5. Select the reason for unrevoking the certificate, adjust the time of the revocation, if necessary, and then click Yes.

To be meaningful, certificate revocation must be combined with the publication and distribution of certificate revocation data.

Additional references