If you no longer require a root certificate authority (CA) or an intermediate CA that is enabled before the CA expires, you can revoke the CA in the Certificate Management Service console. This topic describes how to revoke a root CA or an intermediate CA.

Prerequisites

  • No issued certificates exist in the certificate list of the root CA or the intermediate CA.

    If one or more issued certificates exist in the certificate list of the root CA or the intermediate CA that you want to revoke, you must revoke the issued certificates before you revoke the CA. For more information about how to revoke a certificate, see Revoke a private certificate.

  • The root CA or the intermediate CA is enabled.
    Warning You cannot claim a refund for a root CA or an intermediate CA that is revoked. After an intermediate CA is revoked, you cannot apply for private certificates from the intermediate CA, and the intermediate CA cannot issue private certificates.

Procedure

  1. Log on to the Certificate Management Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, find the private CA that you want to revoke. The private CA must be in the Enabled state.
    Both root CAs and intermediate CAs can be revoked. Before you revoke a root CA, we recommend that you revoke the intermediate CAs of the root CA.
    • To revoke an intermediate CA, click the More icon in the Actions column, and click Revoke.
    • To revoke a root CA, click Revoke in the Actions column.
  4. In the Confirmation message, click Revoke.
    After you confirm the operation, the root CA or the intermediate CA is immediately revoked. The Status of the root CA or the intermediate CA changes to Revoke. Then, you can delete the root CA or intermediate CA from the CA list.