Ask a Question

Solution ID : SO7001

Last Modified : 05/02/2018

How to revoke a Managed PKI for SSL certificate?

Solution

Your organization has the authority and responsibility to revoke a certificate if and when it is necessary.  Revoking a certificate permanently invalidates it (you cannot undo a revocation). Under the Symantec Certification Practice Statement (CPS), your organization is also responsible for revoking a certificate if any of the following occur.  You should generally not otherwise revoke a certificate.


  • There has been a loss, theft, modification, unauthorized disclosure, or other compromise of the private key of the certificates's subject.
  • The certificate's subject has breached a material obligation under the CPS or applicable subscriber agreement.
  • The performance of a person's obligations under this CPS or the subscriber agreement is delayed or prevented by an act of God; natural disaster; computer or communications failure; change in statute, regulation, or other law; official government action, including but not limited to acts by agencies responsible for export control administration; or other cause beyond the person's reasonable control, and as a result another person's information is materially threatened or compromised.
  • You discover that the certificate was issued in a manner not materially in accordance with the procedures required by the Symantec CPS or this document.
  • The certificate was issued to someone other than the person named as the subject of the certificate.
  • The certificate was issued without the authorization of the person named as subject of the certificate.  This may occur, for example, if someone obtained a certificate based on false or falsified information relating to naming or identity.
  • The subscriber stops being an Affiliated Individual or Organization in relation to your organization.  For example, if you use Symantec Managed PKI to issue a certificate to an employee, and the employee leaves your organization, the employee's certificate must be revoked.


A certificate can be revoked from either the Control Center or Lifecycles Pages.  A Managed PKI certificate can only be revoked from the Control Center page if it has been published to the Symantec certificate repository.  This is set in the Policy Wizard of the Control Center.  For additional information, see Managed PKI Installation and Configuration.

From the Control Center 

  1. Go to https://enterprise-ssl-admin.websecurity.symantec.com​.
  2. On the Certificate Management page, in the left pane, click Search Certificates.
  3. Enter the Common Name, e-mail address, or serial number of the certificate.
  4. Specify a date range that the certificate was issued.
  5. Click Submit.
  6. From the list, find the corresponding certificate.
  7. On the right side, click Revoke.
  8. Select a reason for revoking the certificate, add any comments, and click Revoke.

Note: Symantec processes the revocation request, revokes the certificate, updates the Audit Trail log file, and adds the certificate to the next (and subsequent) CRLs.  Additionally, the revocation reason is also stored as a reason code in the CRL entry.
 

From the Enrollment Services page


  1. Go to https://enterprise-ssl-admin.websecurity.symantec.com
  2. Under Certificate Management, in the left pane, select Enrollment Services.
  3. Click the link provide below Certificate Enrollment for Subscribers.
  4. Click Revoke.
  5. Enter the e-mail address or common name of the certificate.
  6. Click Search.
  7. Click on the name of your certificate.
  8. Enter the challenge phrase for your certificate.
  9. Select the reason for revoking the certificate.
  10. Click Revoke This Certificate.  Once completed, you should receive a message stating that the certificate has been successfully revoked.