All Products
Search
Document Center

Certificate Management Service:Revoke and delete a certificate

Last Updated:Oct 16, 2023

If you no longer need an SSL certificate that is issued or you do not want to use the certificate for security reasons, you can submit a request to revoke the certificate in the Certificate Management Service console. Certificate Management Service allows you to permanently delete an expired or revoked certificate. This topic describes how to revoke and delete a certificate.

Revoke a certificate

If you revoke an issued certificate, the certificate is deregistered from the certificate authority (CA) that issues it. After the certificate is revoked, it cannot be used for encryption and is no longer trusted by browsers.

Revocation scenarios

You may need to revoke a certificate in one of the following scenarios:

  • The information that you specified to apply for the certificate is invalid, but the certificate is issued. In this case, you must revoke the certificate, modify the information, and then submit a new application.

  • The certificate is issued, but you want to change the domain name that is bound to the certificate.

  • You do not want to use an issued certificate for security or other reasons.

Revocation limits

  • Each time you purchase a certificate by using Certificate Management Service, you can submit one revocation request for a certificate that has the same specifications as the purchased certificate.

    For example, if you purchased five DigiCert organization validated (OV) certificates, you can submit five revocation requests for your DigiCert OV certificates. After you submit five revocation requests, you can no longer request to revoke DigiCert OV certificates.

    If a certificate is refunded, no revocation quota is provided for the certificate.

  • If you submit a revocation request and complete the revocation process within 28 calendar days after the certificate is issued, the quota that is consumed to apply for the certificate is resumed. If the revocation process is complete after the certificate is issued for more than 28 calendar days, the quota that is consumed to apply for the certificate is not resumed.

  • If a certificate is issued for more than 28 calendar days, you cannot change the domain name that is bound to the certificate. You can revoke the certificate and purchase a new certificate.

Instructions on refund requests after a certificate is revoked

CAs process a certificate revocation request within a maximum of five business days. If you want to revoke a certificate and claim a refund, you must submit the revocation request in the Certificate Management Service console at least five business days before the 28 calendar days elapse. The 28 calendar days starts from the time when the certificate is purchased.

Important

Otherwise, the revocation request may fail to be approved in time. As a result, the refund request will be rejected.

Revocation process

Before you can revoke a certificate, make sure that the following conditions are met:

  • The certificate is purchased and issued from Alibaba Cloud Certificate Management Service.

    Note

    If the certificate is a third-party certificate that is uploaded to the Certificate Management Service console for centralized management, the certificate cannot be revoked. You must revoke the certificate in the system of the third-party certificate provider.

  • The certificate does not expire.

  • The certificate is not in the Hosted state.

    If a certificate is hosted, the certificate is automatically renewed when it is due to expire. If the hosted certificate is revoked, the automatic renewal fails. If you want to revoke a certificate that is hosted, you must cancel hosting for the certificate. For more information, see Cancel hosting for a certificate.

To revoke a certificate, perform the following steps:

  1. Log on to the Certificate Management Service console.
  2. In the left-side navigation pane, click SSL Certificates.
  3. On the Manage Certificates tab, find the issued certificate that you want to revoke, and then click Revoke in the Actions column.

  4. In the Revoke Certificate panel, specify the revocation request information and click OK.

    You must configure Revocation Cause based on the actual situation.

  5. In the Note message, click OK.

    If you submit a revocation request for an extended validated (EV) certificate, the CA sends an email for you to confirm the revocation request. You must check and reply to the email at the earliest opportunity. Otherwise, the time when the revocation request is approved may be delayed.

    Warning

    After an issued certificate is revoked, it cannot be restored. Proceed with caution.

    After you submit the revocation request, you can select Validating Revocation from the status drop-down list above the certificate list on the Manage Certificates tab to view the progress of the revocation. After the revocation request is approved, the certificate is revoked within 48 hours.

    If you select Automatic Refund when you submit the revocation request, Alibaba Cloud automatically initiates a refund process after the certificate is revoked.

Delete a certificate

Before you delete a certificate, you must check the deployment status of the certificate on the SSL Certificates page of the Certificate Management Service console. If the certificate is deployed to an Alibaba Cloud service, we recommend that you estimate risks before you delete the certificate.

Warning

If you directly delete a certificate that is deployed to an Alibaba Cloud service, the workloads of the Alibaba Cloud service may be interrupted.

When you delete a certificate, take note of the following items:

  • If the certificate is purchased from Certificate Management Service and expires, you can directly delete the certificate. If the certificate does not expire, you must revoke the certificate before you can delete it. For more information, see Revoke a certificate.

  • If the certificate is a third-party certificate that is manually uploaded to the Certificate Management Service console for centralized management, you can directly delete the certificate.

Warning

After a certificate is deleted, the data of the certificate cannot be restored. Proceed with caution.

To delete a certificate, perform the following steps:

  1. Log on to the Certificate Management Service console.
  2. In the left-side navigation pane, click SSL Certificates.
  3. On the Manage Certificates tab, find the certificate that you want to delete and click Delete in the Actions column.

  4. In the Confirmation message, click Delete.

    After the certificate is deleted, it is permanently removed from the certificate list.