Akeyless enables you to proactively revoke certificates before their scheduled expiration date and seamlessly add them to a Certificate Revocation List (CRL), ensuring enhanced security and trust in your certificate management process.

📘

PKI Cert Issuer Settings

In this guide, we are only configuring the certificate issuer to revoke certificates. Additional settings that can be applied to the issuer can be found here.

Configure the Certificate Issuer to revoke certificates

To create a PKI Cert Issuer that can revoke certificates, follow these steps:

1. Enable the Store Issued Certificates option and specify a path to where the generated certificates will be located.
2. Select Public and/or Private CRL option:
   • Public CRL: Expose a public CRL endpoint
   • Private CRL: Expose a CRL endpoint in the Gateway

This configuration will enable the Issuer to revoke certificates.

Revoke a certificate using the Akeyless CLI

To revoke a certificate from the CLI, run the following command:

akeyless revoke-certificate --name <Certificate name> --version <Certificate version>

Where:

• name: The certificate's full name. Alternatively, it can be provided using item-id.
• version: Certificate version to revoke.

Upon successful revocation, the certificate status will be changed from Valid to Revoked.

You can find the complete list of parameters for this command in the CLI-Reference-Certificates section.

Revoke a certificate using the Akeyless Console

To revoke a certificate from the console:

1. Log in to the Akeyless Console, go to Items, and find the certificate you wish to revoke.
2. Click on the Certificate, open the Action Menu (three dots), and click Revoke.

Revocation List

Once the certificate is revoked, it is added to the Certificate Revocation List.

To view the Certificate Revocation List, follow these steps:

• Choose a Certificate Item and scroll down to View Certificate Details.
• Scroll down to CRL Distribution points, where the CRL Endpoints will be listed.
• Open your browser and paste that URL.

📘

Note

A single Certificate Issuer generates a consistent Certificate Revocation List (CRL) for all its issued certificates. Therefore, any certificate from that issuer can be used to access the common CRL Endpoint.