Revoke certificates

This page explains how to revoke certificates.

Certificate Authority Service supports certificate revocation by periodically publishing Certificate Revocation Lists (CRLs). You can only revoke certificates issued by CA pools in the Enterprise tier.

Before you begin

Make sure you have the Certificate Authority Service Operation Manager (roles/privateca.caManager) or the CA Service Admin (roles/privateca.admin) Identity and Access Management (IAM) role. For more information about the predefined IAM roles for CA Service, see Access control with IAM.

For information about granting an IAM role, see Granting a single role.

Enable CRL publication

To revoke the certificates issued by a CA pool, you must enable CRL publication on the CA pool. You can enable CRL publication while creating a CA pool. If initially disabled, you can enable CRL publication later.

After you enable CRL publication, a new CRL is published daily and is valid for 7 days. A new CRL is also published within 15 minutes of any new certificate revocation.

To enable CRL publication on a CA pool, do the following:

Console

  1. Go to the Certificate Authority Service page in the Google Cloud console.

    Certificate Authority Service

  2. Click the CA Pool Manager tab.

  3. Click the CA pool that you want to edit or click the CA pool that has the CA that you want to edit.

  4. On the CA pool page, click Edit.

  5. Click Next until you get to the Configure publishing options section.

  6. Click the Publish CRL to GCS bucket for CAs in this pool toggle.

gcloud

Run the following command:

gcloud privateca pools update POOL_ID \
  --publish-crl

Replace POOL_ID with the name of the CA pool.

For more information about the gcloud privateca pools update command, see gcloud privateca pools update.

CA Service enforces a limit of 500,000 unexpired revoked certificates per CRL.

Revoke a certificate

CA Service allows revoking certificates by serial number or resource name, and also accepts an optional reason. After a certificate is revoked, its serial number and revocation reason appear in all future CRLs until the certificate reaches its expiry date. An out-of-band CRL is also generated within 15 minutes of revocation.

To revoke a certificate, use the following steps:

Console

  1. Go to the Certificate Authority Service page in the Google Cloud console.

    Go to Certificate Authority Service

  2. Click the Private certificate manager tab.
  3. In the list of certificates, click View more in the row of the certificate you want to delete.
  4. Click Revoke.
  5. In the dialog that opens, click Confirm.

gcloud

  • To revoke a certificate using its resource name, run the following command:

    gcloud privateca certificates revoke \
      --certificate CERT_ID \
      --issuer-pool POOL_ID \
      --reason REVOCATION_REASON
    

    Replace the following:

    • CERT_ID: The unique identifier of the certificate that you want to revoke.
    • POOL_ID: The name of the CA pool that issued the certificate.
    • REVOCATION_REASON: The reason for revoking the certificate.

    The --reason flag is optional. For more information about this flag, see --reason, or use the following gcloud command with the --help flag:

    gcloud privateca certificates revoke --help
    

    For more information about the gcloud privateca certificates revoke command, see gcloud privateca certificates revoke.

  • To revoke a certificate using its serial number, run the following command:

    gcloud privateca certificates revoke \
      --serial-number SERIAL_NUMBER \
      --issuer-pool POOL_ID \
      --reason REVOCATION_REASON
    

    Replace the following:

    • SERIAL_NUMBER: The serial number of the certificate.
    • POOL_ID: The name of the CA pool that issued the certificate.
    • REVOCATION_REASON: The reason for revoking the certificate.

    For more information about the gcloud privateca certificates revoke command, see gcloud privateca certificates revoke.

    When prompted to confirm, you can do so by entering 'Y':

    You are about to revoke Certificate [projects/PROJECT_ID/locations/CA_POOL_REGION/caPools/POOL_ID/certificates/CERT_ID]
    
    Do you want to continue? (Y/n) Y
    Revoked certificate [projects/PROJECT_ID/locations/CA_POOL_REGION/caPools/POOL_ID/certificates/CERT_ID] at DATE_TIME.
    
    

Go

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Revoke an issued certificate. Once revoked, the certificate will become invalid
// and will expire post its lifetime.
func revokeCertificate(
	w io.Writer,
	projectId string,
	location string,
	caPoolId string,
	certId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"		// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"			// The CA Pool id in which the certificate exists.
	// certId := "certificate"			// A unique name for the certificate.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCertName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificates/%s", projectId, location,
		caPoolId, certId)

	// Create the RevokeCertificateRequest and specify the appropriate revocation reason.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#RevokeCertificateRequest.
	req := &privatecapb.RevokeCertificateRequest{
		Name:   fullCertName,
		Reason: privatecapb.RevocationReason_PRIVILEGE_WITHDRAWN,
	}

	_, err = caClient.RevokeCertificate(ctx, req)
	if err != nil {
		return fmt.Errorf("RevokeCertificate failed: %w", err)
	}

	fmt.Fprintf(w, "Certificate %s revoked", certId)

	return nil
}

Java

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.Certificate;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateName;
import com.google.cloud.security.privateca.v1.RevocationReason;
import com.google.cloud.security.privateca.v1.RevokeCertificateRequest;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class RevokeCertificate {

  public static void main(String[] args)
      throws IOException, ExecutionException, InterruptedException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: Id for the CA pool which contains the certificate.
    // certificateName: Name of the certificate to be revoked.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateName = "certificate-name";
    revokeCertificate(project, location, poolId, certificateName);
  }

  // Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire
  // post its lifetime.
  public static void revokeCertificate(
      String project, String location, String poolId, String certificateName)
      throws IOException, ExecutionException, InterruptedException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      // Create Certificate Name.
      CertificateName certificateNameParent =
          CertificateName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(poolId)
              .setCertificate(certificateName)
              .build();

      // Create Revoke Certificate Request and specify the appropriate revocation reason.
      RevokeCertificateRequest revokeCertificateRequest =
          RevokeCertificateRequest.newBuilder()
              .setName(certificateNameParent.toString())
              .setReason(RevocationReason.PRIVILEGE_WITHDRAWN)
              .build();

      // Revoke certificate.
      ApiFuture<Certificate> response =
          certificateAuthorityServiceClient
              .revokeCertificateCallable()
              .futureCall(revokeCertificateRequest);
      Certificate certificateResponse = response.get();

      System.out.println("Certificate Revoked: " + certificateResponse.getName());
    }
  }
}

Python

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.


import google.cloud.security.privateca_v1 as privateca_v1


def revoke_certificate(
    project_id: str,
    location: str,
    ca_pool_name: str,
    certificate_name: str,
) -> None:
    """
    Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire post its lifetime.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: name for the CA pool which contains the certificate.
        certificate_name: name of the certificate to be revoked.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

    # Create Certificate Path.
    certificate_path = caServiceClient.certificate_path(
        project_id, location, ca_pool_name, certificate_name
    )

    # Create Revoke Certificate Request and specify the appropriate revocation reason.
    request = privateca_v1.RevokeCertificateRequest(
        name=certificate_path, reason=privateca_v1.RevocationReason.PRIVILEGE_WITHDRAWN
    )
    result = caServiceClient.revoke_certificate(request=request)

    print("Certificate revoke result:", result)

What's next