All Products
Search
Document Center

Certificate Management Service:Revoke and delete a certificate

Last Updated:Mar 28, 2024

If you no longer want to use an issued SSL certificate for security or other reasons, you can revoke the certificate. If you revoke an issued certificate, the certificate is deregistered from the certificate authority (CA) of the certificate, and the certificate cannot be used to protect data transmission. You can revoke a certificate in the Certificate Management Service console, and permanently delete an expired or revoked certificate from the certificate list. This ensures the accuracy and security of the certificate list.

Revoke a certificate

If you revoke an issued certificate, the certificate is deregistered from the certificate authority (CA) that issues it. After the certificate is revoked, it cannot be used for encryption and is no longer trusted by browsers.

Revocation scenarios

The following table describes the scenarios in which you may need to revoke a certificate.

Scenario

Description

The information that you specified to apply for the certificate is invalid, but the certificate is issued. In this case, you must revoke the certificate, modify the information, and then submit a new application.

  • If the certificate is issued for no more than 28 calendar days and you did not change the domain name that is bound to the certificate, the system returns the quota that is consumed to apply for the certificate after you submit a revocation request and the certificate is revoked. You can use the returned quota to submit a new certificate application.

  • If the certificate is issued for more than 28 calendar days or you changed the domain name that is bound to the certificate within 28 calendar days after the certificate is issued, the system does not return the quota that is consumed to apply for the certificate after you submit a revocation request and the certificate is revoked. You must revoke the certificate and then purchase a new certificate.

The certificate is issued, but you want to change the domain name that is bound to the certificate.

After a certificate is issued, you cannot change the domain name that is bound to the certificate. You can revoke the certificate and purchase a new certificate.

You do not want to use an issued certificate for security or other reasons.

You can directly revoke the certificate.

Revocation rules

  • Each time you purchase a certificate by using Certificate Management Service, you can obtain a quota to submit one revocation request for a certificate of the same brand and certificate type as the purchased certificate. If a certificate is refunded, no revocation quota is provided for the certificate.

    For example, if you purchased five DigiCert organization validated (OV) certificates, you can submit five revocation requests for your DigiCert OV certificates. After you submit five revocation requests, you can no longer request to revoke DigiCert OV certificates.

  • If a certificate is issued for no more than 28 calendar days and you did not change the domain name that is bound to the certificate, the system returns the quota that is consumed to apply for the certificate after the certificate is revoked. If the certificate is issued for more than 28 calendar days or you changed the domain name that is bound to the certificate within 28 calendar days after the certificate is issued, the system does not return the quota that is consumed to apply for the certificate after it is revoked.

Time required for revocation review

If you want to revoke a certificate and apply for a refund, you must submit a revocation request within two calendar days after the certificate is purchased. After the revocation request is approved, the certificate is revoked within 48 hours.

Warning

If you do not submit a revocation request within two calendar days after the certificate is purchased, the revocation request may fail to be approved in time. As a result, the refund request will be rejected.

Revocation process

Before you can revoke a certificate, make sure that the following conditions are met:

  • The certificate is purchased and issued from Alibaba Cloud Certificate Management Service.

    Note

    If the certificate is a third-party certificate that is uploaded to the Certificate Management Service console for centralized management, you cannot revoke the certificate in the console. You must revoke the certificate in the system of the third-party certificate provider.

  • The certificate does not expire.

  • The certificate is not in the Hosted state.

    If a certificate is hosted, the certificate is automatically renewed when it is due to expire. If the hosted certificate is revoked, the automatic renewal fails. If you want to revoke a certificate that is hosted, you must cancel hosting for the certificate. For more information, see Cancel hosting for a certificate.

To revoke a certificate, perform the following steps:

Warning

After an issued certificate is revoked, it cannot be restored. Proceed with caution.

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, click SSL Certificates.

  3. On the Manage Certificates tab, find the issued certificate that you want to revoke, and click Revoke in the Actions column.

  4. In the Revoke Certificate panel, specify the revocation request information and click OK.

    You must configure Revocation Cause based on the actual situation.

  5. In the Note message, read the note and click OK.

    If you submit a revocation request for an extended validated (EV) certificate, the CA sends an email for you to confirm the revocation request. You must check and reply to the email at the earliest opportunity. Otherwise, the time when the revocation request is approved may be delayed.

    After you submit the revocation request, you can select Validating Revocation from the status drop-down list above the certificate list on the Manage Certificates tab to view the progress of the revocation request. After the revocation request is approved, the certificate is revoked within 48 hours.

    If you select Automatic Refund when you submit the revocation request, Alibaba Cloud automatically initiates a refund process after the certificate is revoked.

Delete a certificate

Warning
  • If you directly delete a certificate that is deployed to an Alibaba Cloud service, the workloads of the Alibaba Cloud service may be interrupted.

  • After a certificate is deleted, the data of the certificate cannot be restored. Proceed with caution.

Before you delete a certificate, take note of the following items:

  • If the certificate is purchased from Certificate Management Service and expires, you can directly delete the certificate. If the certificate does not expire, you must revoke the certificate before you can delete it. For more information, see Revoke a certificate.

  • If the certificate is a third-party certificate that is manually uploaded to the Certificate Management Service console for centralized management, you can directly delete the certificate.

  • Before you delete a certificate, you must check the deployment status of the certificate on the SSL Certificates page. If the certificate is deployed to an Alibaba Cloud service, we recommend that you evaluate risks before you delete the certificate.

    image.png

To delete a certificate, perform the following steps:

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, click SSL Certificates.

  3. On the Manage Certificates tab, find the certificate that you want to delete and click Delete in the Actions column.

  4. In the Confirmation message, click Delete.

    After the certificate is deleted, it is permanently removed from the certificate list.

    If the certificate list contains multiple certificates that expire or are revoked, you can select Expired or Revoked from the status drop-down list above the certificate list to delete multiple invalid certificates at a time.

References