Revoking certificates

Certificate Authority Service supports certificate revocation by periodically publishing Certificate Revocation Lists (CRLs). Certificate revocation is only supported for CAs in the Enterprise tier, and must be enabled on the CA before it will take effect.

A note on revocation

While CA Service may support publishing CRLs, effective revocation requires client applications to periodically download those CRLs and reject certificates whose serial number appears in a CRL. Not all applications support this functionality.

Enable CRL publication

CRL publication must be enabled on a CA before CRLs will be published. This can be enabled at CA creation time, or if initially disabled, can be enabled later.

When CRL publication is enabled, a new CRL will be published daily and will be valid for 7 days. A new CRL will also be published within 15 minutes of any new certificate revocations.

To enable CRL publication on a CA, use the following steps:

Console

Updating CRL publication status on an existing CA is not yet supported in Cloud Console. Please use the gcloud tool instead.

gcloud

gcloud beta privateca roots update CA_NAME \
  --publish-crl

Revoke a certificate

CA Service allows revoking certificates by serial number or resource name, as well as an optional reason. After a certificate is revoked, its serial number and revocation reason (if any) will appear in all future CRLs until the certificate reaches its expiry date. A special CRL will also be generated within 15 minutes of revocation.

To revoke a certificate, use the following steps:

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Find your CA under CAs.

  3. Navigate to Issued Certificates tab.

  4. Click on ⋮ (View More).

  5. Click on Revoke.

  6. In the dialog that opens, click on Confirm.

gcloud

To revoke a certificate by its resource name:

gcloud beta privateca certificates revoke \
  --certificate CERT_NAME \
  --issuer CA_NAME \
  --reason REVOCATION_REASON

When prompted to confirm, you may do so by entering 'Y':

You are about to revoke Certificate [projects/joonix-pki/locations/us-west1/certificateAuthorities/CA_NAME/certificates/CERT_NAME]

Do you want to continue? (Y/n) Y
Revoked certificate [projects/joonix-pki/locations/us-west1/certificateAuthorities/CA_NAME/certificates/CERT_NAME] at 2020-10-16T15:14:00.
gcloud beta privateca certificates revoke --help

You may also revoke a certificate by its serial number:

gcloud beta privateca certificates revoke \
  --serial-number SERIAL_NUMBER \
  --issuer CA_NAME \
  --reason REVOCATION_REASON