Revoke certificate using automated certificate management

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read

    • Request a revoke certificate for an application. Revocation does not require approval, if order Id and certificate Id are present in the Certificate Extension table. If order ID and Cert Id are not present in the Certificate Extension table, then the task requests approval.

    Before you begin

    Ensure the Certificate Management catalog is enabled and that a Routing Policy is created.

    Role required: pki_admin or admin

    Note:
    Approvals are only supported in the Fulfiller approval experience at this time.

    Procedure

    1. Navigate to All > Service Catalog > Certificate Management.
    2. Select Revoke Certificate – Automated flow.
    3. Enter the Issued Certificate which you want to revoke (for instance: www.undefined.com).
      Multiple Certificates can be selected for revoking.
    4. Provide an appropriate reason for revoking the certificate.
      For Microsoft CA the reason should be an integer value. If any other value is given, a default value of 0 will be used which means unspecified.
    5. To place the revoke order, select Submit.
    6. In the confirmation pop-up, select OK.

    Result

    1. A task is automatically created when you request a revocation.
      • If order Id and certificate Id are present in the Certificate Extension [sn_disco_certmgmt_certificate_extension] table, revocation does not require approval.
      • If order ID and certificate Id are not present in the Certificate Extension [sn_disco_certmgmt_certificate_extension] table, then the task requests approval.
      • If serial number for Entrust CA Gateway is not present in the Certificate Extension [sn_disco_certmgmt_certificate_extension] table, then the task requests approval.
    2. Once the PKI team provides approval, the mapping between the certificate and CA occurs based on the Routing policy selected.
    3. This triggers the revocation operation for the CA selected which uses the CA APIs.
    4. Details are stored in the Certificate Extension table.
    5. Every 30 minutes, the following scheduled job runs and checks for status: DigiCert – Track Certificate Order Status.
      Note:
      There are no scheduled jobs for Entrust CA Gateway and Microsoft CA.
    6. The status of the certificate is then marked as revoked.
    Note:

    Certificates cannot be revoked if Certificate Authority or Certificate Id details are missing in the Certificate Extension [sn_disco_certmgmt_certificate_extension] table. For Entrust CA Gateway, certificates cannot be revoked if the Serial number is missing. Discover the certificate via Certificate Authority query to populate the required details in the Certificate Extension table. After that, Discovery selects the routing policy and approves the task.

    Revoke certificate API request. If "skip_approval" is true, the revoke process is completed more quickly. If "skip_approval" is false, the revoke process is completed when the DigiCert or Entrust CA Gateway admin has approved or rejected the revoke request. To skip the approval step, the API key must have admin privileges.