Revoking ACME Certificates

  • Updated on Feb 5, 2025
  • Published on Dec 13, 2024
  • 2 minute(s) read
Prev Next

When a certificate is revoked, it is permanently invalid and cannot be reused or restored. This is a final action, usually taken because the certificate's private key has been compromised, the domain has changed ownership, or a serious security issue has occurred.

  • Signed Certificates with ACME that are being used by Webserver or IPsec cannot be Revoked.

  • Once a ACME Certificate is revoked, it cannot be renewed again. The Renew or Revoke buttons won’t show for the revoked certificate.

Using Web UI:

To revoke an ACME certificate:

  1. Navigate to Security :: Certificates.

  2. In the Certificate Table, locate the Signed Certificate (ACME) that you want to revoke.

  3. Click Revoke Certificate. The page gets redirected to the Certificate Table.

  4. Verify the updated status (Revoked) of the certificate.

Using CLI:

Run the following commands to revoke an ACME certificate:

  1. Access /settings/certificates:

  2. Locate the Signed Certificate (ACME):

    [admin@nodegrid acme-http]# cd /settings/certificates
[admin@nodegrid certificates]# show
  name                  common name                  status  type                   issuer                                                                 issued on                 expires on                used by
  ====================  ===========================  ======  =====================  =====================================================================  ========================  ========================  =========
  nodegrid-default      e41a2c00752c                 Valid   Signed Certificate     ZPE Systems Inc e41a2c00752c                                           Nov  1 14:55:21 2024 GMT  Feb  4 14:55:21 2027 GMT  Webserver
  acme-http             acme-http.example.com        Valid   Signing Request (CSR)  -                                                                      -                         -

  3. Check the certificate status.

    [admin@ng-bugbuster acme-http01-v1-cert]# show
certificate name: acme-http01-v1-cert
status: Valid                                         <<<<<<<< Status
common name: acme-http01-v1.example.com.br
subject alternative names: acme-http01-v1.example.com.br
certificate issuer: (STAGING) Let's Encrypt (STAGING) False Fennel E6
issued on: Oct 29 15:48:50 2024 GMT
expires on: Jan  2 13:10:11 2025 GMT
key size: 256 bit
certificate:
-----BEGIN CERTIFICATE-----
MIIDtTCCAzygAwIBAgISKxytfvHqoeskmhnEm2f5MDz8MAoGCCqGSM49BAMDMFMx
...
-----END CERTIFICATE-----
use_ssl_certificate_trust_attributes = no

  4. Type revoke_certificate.

    [admin@ACME acme-http01-v1-cert]# revoke_certificate

  5. Verify the revoked status again

    [admin@ACME acme-http01-v1-cert]# show
certificate name: acme-http01-v1-cert
status: Revoked                                                       <<<<<<<< Status
common name: acme-http01-v1.example.com.br
subject alternative names: acme-http01-v1.example.com.br
certificate issuer: (STAGING) Let's Encrypt (STAGING) False Fennel E6
issued on: Oct 29 15:48:50 2024 GMT
expires on: Jan  2 13:10:11 2025 GMT
key size: 256 bit
certificate:
-----BEGIN CERTIFICATE-----
MIIDtTCCAzygAwIBAgISKxytfvHqoeskmhnEm2f5MDz8MAoGCCqGSM49BAMDMFMx
...
-----END CERTIFICATE-----
use_ssl_certificate_trust_attributes = no