Certbot: Revoke certificate

You can use an ACME client such as Certbot on your servers to request revocation of certificates that were issued through the DigiCert® ACME service. The request gets sent to DigiCert® Trust Lifecycle Manager and passed on to the applicable issuing CA to complete the certificate revocation.

Avviso

ACME-based certificates can also be revoked directly from the Trust Lifecycle Manager Inventory > Certificates page or REST API. To learn more, see:

Revoke by certificate name

At the command-line prompt, use the following command syntax to request revocation of a certificate by its reference name:

certbot revoke --cert-name {NAME} --config-dir {MY-CONFIG-DIR} --reason {REVOCATION-REASON}

Fill in the values of the command arguments as follows:

Command argument	Description
`{NAME}`	The reference name for the certificate, which is not necessarily the same as the common name. Use the `certbot certificates` command to list all certificates Certbot knows about, including the reference name for each.
`{MY-CONFIG-DIR}`	The directory path where the Certbot configuration and certificate files are stored.
`{REVOCATION-REASON}`	Reason for revoking the certificate. For a list of supported reasons, see Revocation reasons. If omitted, the reason is set to `unspecified`.

Example command:

certbot revoke --cert-name app1.example.com --config-dir /usr/local/certbot/my_webserver_config/ --reason superseded

Revoke by certificate path

At the command-line prompt, use the following command syntax to request revocation of a certificate by its file path on the server:

certbot revoke --cert-path {PATH} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} --reason {REVOCATION-REASON}

Fill in the values of the command arguments as follows:

Command argument	Description
`{PATH}`	The absolute path of the certificate file on the server.
`{ACME-URL}`	The DigiCert ACME Directory URL used to issue the certificate. The `--server` option is required when revoking by certificate path, but not required when revoking by reference name.
`{MY-CONFIG-DIR}`	The directory path where the Certbot configuration and certificate files are stored.
`{REVOCATION-REASON}`	Reason for revoking the certificate. For a list of supported reasons, see Revocation reasons. If omitted, the reason is set to `unspecified`.

Example command:

certbot revoke --cert-path /usr/local/certbot/my_webserver_config/archive/app1.example.com/cert1.pem --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_webserver_config/ --reason keyCompromise

Revocation reasons

The DigiCert ACME service supports the following revocation reasons when revoking an ACME-based certificate.

Revocation reason	Description
`unspecified`	No specific reason is provided for the revocation.
`keyCompromise`	The private key associated with the certificate has been compromised or is suspected to be compromised.
`affiliationChanged`	The subject’s affiliation or organizational information has changed and the certificate is no longer accurate.
`superseded`	The certificate has been replaced with a new one and is no longer needed.
`cessationOfOperation`	The service, domain, or operation associated with the certificate has been discontinued.

Avviso

In Certbot commands, the revocation reason is not case sensitive.

In questa sezione: