Before a private certificate authority (CA) in the enabled state expires, if you no longer want to use the private CA to issue certificates, you can revoke the private CA in the SSL Certificates Service console.


No certificates issued by the private CA exist.

If one or more issued certificates exist in the certificate list of the private CA that you want to revoke, you must revoke the issued certificates before you revoke the private CA. For more information about how to revoke a certificate, see Revoke a private certificate.

Background information

Only private CAs in the enabled state can be revoked. You cannot claim a refund for a private CA in the revoked state. After a private CA is revoked, you cannot apply for private certificates from the private CA, and the private CA cannot issue private certificates.


  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, find the private CA in the Enabled state that you want to revoke. Then, revoke it.
    Both private root CAs and private intermediate CAs can be revoked. We recommend that you revoke private intermediate CAs of a private root CA before you revoke the private root CA. The following description provides specific instructions:
    • To revoke a private root CA, click Revoke in the Actions column.
    • To revoke a private intermediate CA, click the More icon in the Actions column and select Revoke.
  4. In the Confirmation message, click Revoke.
    After you confirm the revocation, the certificate is immediately revoked. When the value in the Status column for the private CA changes to Revoked, you can click Delete in the Actions column to delete the private CA from the private CA list.