To revoke an issued certificate
- Log on to the system as an Administrator.
- Open Certification Authority.
- In the console tree, click Issued Certificates
- Certification Authority (computer)
- CA name
- Issued Certificates
- In the details pane, click the certificate you want to revoke.
- On the Action menu, point to All Tasks, and click Revoke Certificate.
- Select the reason for revoking the certificate and click Yes.
- To open Certification Authority, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
- The certificate is marked as revoked and is moved to the Revoked Certificates folder. The revoked certificate will appear on the certificate revocation list (CRL) the next time it is published.
- Certificates revoked with the reason code "Certificate Hold" can be unrevoked, left on "Certificate Hold" until they expire, or have their revocation reason code changed. This is the only reason code that allows you to change the status of a revoked certificate. It is useful if the status of the certificate is questionable and is meant to provide some flexibility to the CA administrator.
To unrevoke a certificate revoked with the reason code "Certificate Hold," at a command prompt on the CA, type
certutil -revoke certificateserialnumber unrevoke
To identify the certificateserialnumber, double-click the revoked certificate in the details pane of the Revoked Certificates folder, and then click the Details tab.
To change the reason code for a certificate previously revoked with the reason code "Certificate Hold," type the appropriate command at a command prompt on the CA.
New reason code for
revoking a certificate
currently on "Certificate Hold"
||certutil -revoke certificateserialnumber 0|
||certutil -revoke certificateserialnumber 1|
||certutil -revoke certificateserialnumber 2|
||certutil -revoke certificateserialnumber 3|
||certutil -revoke certificateserialnumber 4|
|Cessation of Operation
||certutil -revoke certificateserialnumber 5|