OpenSSL "ca -revoke" - Revoke a Certificate


How to revoke a certificate using the OpenSSL "ca" command? The certificate was signed by me with my CA certificate, but now it is no longer needed.



If you want revoke a certificate that was signed by you previously, you can use the OpenSSL "ca -revoke" command to revoke it. Actually, the certificate can not be destroyed. It will just be declared as invalid,

The following test shows you how to revoke a certificate using the "ca -revoke" command:


OpenSSL> ca -revoke test.crt -keyfile my_ca.key -cert my_ca.crt
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter
Revoking Certificate 1000.
Data Base Updated

Notes about the above test:

  • The "-revoke test.crt" option tells the "ca" command to revoke the given certificate.
  • The "-keyfile my_ca.key" option tells "ca" command to read the private key from the given file.
  • The "-cert my_ca.crt " option tells "ca" command to read the CA certificate from the given file.
  • The "Revoking Certificate 1000" message indicates the "ca" command found the certificate (whose serial number is 0x1000) in the database marked the certificate as "removed (invalid)".


OpenSSL "ca" - Sign the CSR Again

OpenSSL "ca" Error "failed to update database TXT_DB error number 2"

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-10, 2256👍, 0💬