Only CM agents can revoke certificates other than their own. A certificate must be revoked if one of the following situations occurs:
-
The owner of the certificate has changed status and no longer has the right to use the certificate.
-
The private key of a certificate owner has been compromised.
These two reasons are not the only ones why a certificate would need revoked; other reasons are mentioned in Section 5.4.2, “Revoking One or More Certificates”.
To revoke one or more certificates, search for the certificates to revoke using the Revoke Certificates button. While the search is similar to the one through the Search for Certificates form, the Search Results form returned by this search offers the option of revoking one or all of the returned certificates.
To search for one or more certificates to revoke, do the following:
-
Open the CM agent services page.
-
Click Revoke Certificates.
NOTE
The search form that appears has the same search criteria sections as the Search for Certificates form.
-
Specify the search criteria by selecting the check boxes for the sections and filling in the required information.
-
Scroll to the bottom of the form, and set the number of matching certificates to display.
-
Click Find.
-
The search returns a list of matching certificates. It is possible to revoke one or all certificates in the list.
An entire list of certificates returned by a search can be revoked, or selected certificates from the list can be revoked.
CAUTION
Whether revoking a single certificate or a list of certificates, be extremely careful that the correct certificate has been selected or that the list contains only certificates which should be revoked. Once a revocation operation has been confirmed, there is no way to undo it.
To revoke a single certificate, do the following:
-
On the CM's agent services page, click Revoke Certificates, specify search criteria, and click Find to display a list of certificates.
-
On the Search Results form, select the certificate to revoke.
If a desired certificate is not shown, scroll to the bottom of the list, specify an additional number of certificates to be returned, and click Find. The system displays the next certificates up to that number that match the original search criteria.
-
Click the Revoke button next to the certificate to be revoked.
-
Confirm the certificate to be revoked in the revocation form.
To revoke all of the certificates returned in a search, do the following:
-
On the CM's agent services page, click Revoke Certificates, specify search criteria, and click Find to display a list of certificates.
-
On the Search Results page, scroll to the bottom to reach the Revoke ALL # Certificates button. The number shown on the button is the total number of certificates returned by the search. This is usually a larger number than the number of certificates displayed on the current page.
-
Verify that all of the certificates returned by the search should be revoked, not only those displayed on the current page.
-
Click Revoke ALL # Certificates at the bottom of the form.
-
Confirm the certificates to be revoked in the revocation form.
When one or more certificates has been selected for revocation, the Certificate Revocation Confirmation form opens.
To confirm the revocation, do the following:
-
Inspect the details of the certificate to verify that it is the one to be revoked. If more than one certificate is being revoked, the form shows details for all the certificates.
-
Select an invalidity date. The invalidity date is the date which it is known or suspected that the user's private key was compromised or that the certificate became invalid. A set of drop down lists allows the agent to select the correct invalidity date.
-
Select a reason for the revocation. The reason applies to all the listed certificates. The different reasons are as follows:
-
Key compromised
-
CA key compromised
-
Affiliation changed
-
Certificate superseded
-
Cessation of operation
-
Certificate is on hold
-
-
Enter any additional comment. The comment is included in the revocation request.
When the revocation request is submitted, it is automatically approved, and the certificate is revoked. Revocation requests are viewed by listing requests with a status of Completed; see Section 4.2, “Listing Certificate Requests” for more information.
CAUTION
Whether a single certificate or a list of certificates is revoked, be extremely careful that the correct certificate has been selected or that the list contains only certificates which should be revoked. Once a revocation operation is confirmed, there is no way to undo it.