Revoking a certificate means deregistering an issued SSL certificate from the certification authority (CA). This action invalidates the certificate for encryption and causes it to be untrusted by browsers. You can revoke a certificate for various reasons, including security concerns. Certificate Management Service lets you revoke certificates. You can also delete expired or revoked certificates from the certificate list to keep it accurate and secure.
Revoke an SSL certificate
Scenarios
The SSL certificate is issued, but you need to modify the certificate application information, change the domain name bound to the certificate, or change the encryption algorithm.
If the certificate was issued less than 28 calendar days ago and its domain name has not been changed: After you submit a revocation request and the certificate is successfully revoked, Alibaba Cloud returns the corresponding SSL certificate quota. You can use the returned quota to submit a new certificate application.
NoteThe 28 calendar days are calculated from the issuance time of the certificate. For example, if a certificate is issued at 12:00:00 on May 1, 2025, the 28-day period ends at 12:00:00 on May 29, 2025. If you complete the revocation process before this deadline and have not changed the domain name, Alibaba Cloud returns the corresponding certificate quota. The quota is not returned if the revocation is completed after this deadline.
If the certificate was issued more than 28 calendar days ago or its domain name has been changed: After you submit a revocation request and the certificate is successfully revoked, Alibaba Cloud does not return the consumed SSL certificate quota. After the SSL certificate is revoked, you must purchase a new SSL certificate.
You no longer want to use an issued SSL certificate for security or other reasons.
Simply revoke the certificate.
Revocation rules
Each time you purchase an SSL certificate of a specific brand and type from Certificate Management Service, you receive one opportunity to revoke a certificate of the same specifications. If a refund was successfully processed for an SSL certificate order of a specific specification, that order does not include a revocation opportunity.
For example, if you purchase five DigiCert OV certificates, you receive five opportunities to revoke that type of certificate. After you use all five revocation opportunities, you cannot submit more requests.
If a certificate is revoked within 28 calendar days of issuance and its domain name has not been changed, Alibaba Cloud returns the corresponding SSL certificate quota after the revocation. If the certificate is revoked more than 28 days after issuance or its domain name has been changed, the SSL certificate quota is not returned.
Time required for revocation review
The CA may take up to five business days to process a revocation request. If you want to revoke a certificate and request a refund, you must submit the revocation request within seven calendar days of placing the order. After the revocation is approved, it takes effect within 48 hours.
If you do not allow sufficient time for the revocation, the process may be completed after the refund period ends. This can result in a failed refund and financial loss.
Revocation process
Before you revoke an SSL certificate, make sure that the following conditions are met:
The SSL certificate was purchased from and issued by Alibaba Cloud Certificate Management Service.
NoteIf your SSL certificate is a third-party certificate that you uploaded to Certificate Management Service for centralized management, you cannot revoke it in the console. You must revoke the certificate in the system of the third-party provider.
The SSL certificate has not expired.
The SSL certificate is not in the Hosted state.
If a certificate is hosted, it is automatically renewed before it expires. If the hosted certificate is revoked, the automatic renewal fails. To revoke a hosted SSL certificate, you must first cancel hosting for the certificate. For more information, see Cancel certificate hosting.
Follow these steps to revoke an SSL certificate.
An issued certificate cannot be restored after it is revoked. To prevent service disruptions, proceed with caution.
Log on to the Certificate Management Service console.
In the navigation pane on the left, choose .
On the Target Certificate tab, locate the certificate that you want to revoke and click More in the Actions column.
On the Revoke tab, confirm the revocation information and click Confirm Revoke.
In the Note dialog box, read the message carefully and click OK.
If your certificate is an Extended Validation (EV) certificate, the CA sends a confirmation email to your mailbox after you submit the revocation request. You must follow the instructions in the confirmation email promptly. Otherwise, the revocation review may be delayed.
After you submit the revocation request, on the Official Certificate tab, you can select Validating Revocation from the certificate status drop-down list to view the revocation progress. After the revocation is approved, it takes effect within 48 hours.
If you select Automatic Refund when you submit the revocation request, Alibaba Cloud automatically starts the refund process after the certificate is revoked.
Delete an SSL certificate
Deleting an SSL certificate that is deployed to an Alibaba Cloud service may cause service disruptions.
An SSL certificate cannot be recovered after it is deleted. We recommend that you proceed with caution.
Before you delete an SSL certificate, note the following:
For an SSL certificate purchased from Certificate Management Service: if the certificate has expired, you can delete it directly. If the certificate has not expired, you must revoke it before you can delete it. For more information, see Revoke an SSL certificate.
You can directly delete a third-party SSL certificate that you manually uploaded to Certificate Management Service for management.
Before you delete an SSL certificate, check its deployment status. If the certificate is deployed to an Alibaba Cloud service, evaluate the business risks before you delete it.
Follow these steps to delete an SSL certificate.
Log on to the Certificate Management Service console.
In the navigation pane on the left, choose .
On the Official Certificate tab, find the certificate that you want to delete, and in the Actions column, click Delete.
In the Tip dialog box, click Delete.
After the certificate is successfully deleted, it is permanently removed from the certificate list.
If your certificate list contains multiple expired or revoked certificates, you can select Expired or Revoked from the drop-down list above the list and then select multiple invalid certificates to delete them.