Skip to main content

Revoke an intermediate CA

To revoke an intermediate CA, you must have two users with any of the following roles:

  • CA Admin

  • CA Operations

  • PKI Operations

  • PKI Manager

  1. In DigiCert ONE, in the Manager menu (top right), select CA.

  2. In Certificate Manager, in the left main menu, go to Manage CAs > Intermediates.

  3. On the Intermediate Certificate Authorities page, select the root ICA to be revoked.

  4. On the ICA details page, above On this page menu on the right, select More actions (three dots) > Revoke CA.

  5. On the Revoke CA dialog box:

    1. Select approver for the revocation request.

    2. Enter revocation date.

    3. Select a reason for the revocation.

      Opmerking

      Only specific certificate types may be revoked with the reason “6 Certificate hold". if not applicable this option will not appear.

    4. Enter any relevant notes for the approver.

    5. Select Request to revoke CA.

  6. The approver will receive an email containing the link to either approve or reject the revocation request. When the approver selects the link, a new approval screen opens up. In the approval screen, the approver may reject or approve the request.

    1. If the approver approves the request:

      The CA is revoked and disabled. This stops all application level functions from acting on the CA. OCSP gets updated immediately while CRL will be updated upon the next generation.

    2. If the approver rejects the request:

      The CA remains unchanged. You must begin the revocation process again if required.

Opmerking

Upon revocation approval for on-premises installations issuing ETSI Qualified certificates:

  1. All child CAs and end-entities will be revoked (Reason: 0, unspecified).

  2. A final CRL will be published with the next update field value of "99991231235959Z”.

  3. The requested CA will be revoked.

Unrevoke a CA

Only certificates with revoke reason "6 Certificate hold" may be unrevoked. The process is the same as revoking a CA.