Skip to main content

Revoke an intermediate CA

To revoke an intermediate CA, you must have two users with any of the following roles:

  • CA Admin

  • CA Operations

  • PKI Operations

  • PKI Manager

  1. In DigiCert ONE, in the Manager menu (top right), select CA.

  2. From the main menu, select to Manage CAs > Intermediates.

  3. Select the root ICA to be revoked.

  4. On the right corner of the Details section, select More actions (three dots) > Revoke CA.

  5. On the Revoke CA dialog box:

    1. Select Approver for the revocation request.

    2. Enter Revocation date.

    3. Enter Reason for the revocation.

      Note

      Only specific certificate types may be revoked with the reason “6 Certificate hold". if not applicable this option will not appear.

    4. Enter any relevant notes for the approver.

    5. Select Request to revoke CA.

  6. The approver will receive an email containing the link to either approve or reject the revocation request. When the approver selects the link, a new approval screen opens up where the approver rejects or approves the request.

    1. If the approver approves the request:

      The CA is revoked and disabled. This stops all application level functions from acting on the CA. OCSP gets updated immediately while CRL will be updated upon the next generation.

    2. If the approver rejects the request:

      The CA remains unchanged. You must begin the revocation process again, if required.

Note

Upon revocation approval for on-premises installations issuing ETSI Qualified certificates:

  1. All child CAs and end-entities are revoked (Reason: 0, unspecified).

  2. A final CRL is published with the next update field value of "99991231235959Z”.

  3. The requested CA is revoked.

Unrevoke a CA

Only certificates with revoke reason "6 Certificate hold" may be unrevoked. The process is the same as revoking a CA.

: