Revoke certificates
This page explains how to revoke certificates.
Certificate Authority Service supports certificate revocation by periodically publishing Certificate Revocation Lists (CRLs). You can only revoke certificates issued by CA pools in the Enterprise tier.
Before you begin
Make sure you have the Certificate Authority Service Operation Manager
(roles/privateca.caManager
) or the CA Service Admin
(roles/privateca.admin
) Identity and Access Management (IAM) role. For more
information about the predefined IAM roles for
CA Service, see Access control with IAM.
For information about granting an IAM role, see Granting a single role.
Enable CRL publication
To revoke the certificates issued by a CA pool, you must enable CRL publication on the CA pool. You can enable CRL publication while creating a CA pool. If initially disabled, you can enable CRL publication later.
After you enable CRL publication, a new CRL is published daily and is valid for 7 days. A new CRL is also published within 15 minutes of any new certificate revocation.
To enable CRL publication on a CA pool, do the following:
Console
Go to the Certificate Authority Service page in the Google Cloud console.
Click the CA Pool Manager tab.
Click the CA pool that you want to edit or click the CA pool that has the CA that you want to edit.
On the CA pool page, click
Edit.Click Next until you get to the Configure publishing options section.
Click the Publish CRL to GCS bucket for CAs in this pool toggle.
gcloud
Run the following command:
gcloud privateca pools update POOL_ID \
--publish-crl
Replace POOL_ID with the name of the CA pool.
For more information about the gcloud privateca pools update
command, see gcloud privateca pools update.
CA Service enforces a limit of 500,000 unexpired revoked certificates per CRL.
Revoke a certificate
CA Service allows revoking certificates by serial number or resource name, and also accepts an optional reason. After a certificate is revoked, its serial number and revocation reason appear in all future CRLs until the certificate reaches its expiry date. An out-of-band CRL is also generated within 15 minutes of revocation.
To revoke a certificate, use the following steps:
Console
- Go to the Certificate Authority Service page in the Google Cloud console.
- Click the Private certificate manager tab.
- In the list of certificates, click View more in the row of the certificate you want to delete.
- Click Revoke.
- In the dialog that opens, click Confirm.
gcloud
To revoke a certificate using its resource name, run the following command:
gcloud privateca certificates revoke \ --certificate CERT_ID \ --issuer-pool POOL_ID \ --reason REVOCATION_REASON
Replace the following:
- CERT_ID: The unique identifier of the certificate that you want to revoke.
- POOL_ID: The name of the CA pool that issued the certificate.
- REVOCATION_REASON: The reason for revoking the certificate.
The
--reason
flag is optional. For more information about this flag, see --reason, or use the followinggcloud
command with the--help
flag:gcloud privateca certificates revoke --help
For more information about the
gcloud privateca certificates revoke
command, see gcloud privateca certificates revoke.To revoke a certificate using its serial number, run the following command:
gcloud privateca certificates revoke \ --serial-number SERIAL_NUMBER \ --issuer-pool POOL_ID \ --reason REVOCATION_REASON
Replace the following:
- SERIAL_NUMBER: The serial number of the certificate.
- POOL_ID: The name of the CA pool that issued the certificate.
- REVOCATION_REASON: The reason for revoking the certificate.
For more information about the
gcloud privateca certificates revoke
command, see gcloud privateca certificates revoke.When prompted to confirm, you can do so by entering 'Y':
You are about to revoke Certificate [projects/PROJECT_ID/locations/CA_POOL_REGION/caPools/POOL_ID/certificates/CERT_ID] Do you want to continue? (Y/n) Y Revoked certificate [projects/PROJECT_ID/locations/CA_POOL_REGION/caPools/POOL_ID/certificates/CERT_ID] at DATE_TIME.
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
What's next
- Learn how to sort and filter certificates.
- Learn how to implement a delegated OCSP responder.