Revoke certificates

This page explains how to revoke certificates.

Certificate Authority Service supports certificate revocation by periodically publishing Certificate Revocation Lists (CRLs). You can only revoke certificates issued by CA pools in the Enterprise tier.

Before you begin

Make sure you have the Certificate Authority Service Operation Manager ( roles/privateca.caManager ) or the CA Service Admin ( roles/privateca.admin ) Identity and Access Management (IAM) role. For more information about the predefined IAM roles for CA Service, see Access control with IAM .

For information about granting an IAM role, see Granting a single role .

Enable CRL publication

To revoke the certificates issued by a CA pool, you must enable CRL publication on the CA pool. You can enable CRL publication while creating a CA pool. If initially disabled, you can enable CRL publication later.

After you enable CRL publication, a new CRL is published daily and is valid for 7 days. A new CRL is also published within 15 minutes of any new certificate revocation.

Certificates contain a CRL Distribution Point (CDP) extension that specifies where the CRL information for the certificate can be found. By default, when you enable CRL publication, CA Service populates the CDP extension for all certificates that are issued by the CA with the Cloud Storage publishing location that the CA uses. To set your own links to appear in this certificate extension, set the UserDefinedAccessUrls . To keep the default Cloud Storage publishing location link and also add your own links, add the Cloud Storage link to the list of links that you specify.

To enable CRL publication on a CA pool, do the following:

Console

Go to the Certificate Authority Servicepage in the Google Cloud console.

Certificate Authority Service
Click the CA Pool Managertab.
Click the CA pool that you want to edit or click the CA pool that has the CA that you want to edit.
On the CA poolpage, click

Edit.
Click Nextuntil you get to the Configure publishing optionssection.
Click the Publish CRL to GCS bucket for CAs in this pooltoggle.

Note: Toggling this switch enables CRL publication for all CAsthat are part of the CA pool in which your CA resides.

gcloud

Run the following command:

 gcloud privateca pools update POOL_ID 
--location LOCATION 
--publish-crl

Replace the following:

POOL_ID : the name of the CA pool.
LOCATION : the location of the CA pool. For the complete list of locations, see Locations .

For more information about the gcloud privateca pools update command, see gcloud privateca pools update .

CA Service enforces a limit of 500,000 unexpired revoked certificates per CRL.

Revoke a certificate

CA Service allows revoking certificates by serial number or resource name, and also accepts an optional reason. After a certificate is revoked, its serial number and revocation reason appear in all future CRLs until the certificate reaches its expiry date. An out-of-band CRL is also generated within 15 minutes of revocation.

To revoke a certificate, use the following steps:

Console

Go to the Certificate Authority Service page in the Google Cloud console.
Go to Certificate Authority Service
Click the Private certificate manager tab.
In the list of certificates, click View more in the row of the certificate you want to delete.
Click Revoke .
In the dialog that opens, click Confirm .

gcloud

To revoke a certificate using its resource name, run the following command:
```
 gcloud privateca certificates revoke \
    --certificate CERT_ID 
\
    --issuer-pool POOL_ID 
\
    --issuer-location ISSUER_LOCATION 
\
    --reason REVOCATION_REASON 
 
```
Replace the following:
- CERT_ID : the unique identifier of the certificate that you want to revoke.
- POOL_ID : the name of the CA pool that issued the certificate.
- ISSUER_LOCATION : the location of the issuing CA pool.
- REVOCATION_REASON : the reason for revoking the certificate.
The --reason flag is optional. For more information about this flag, see --reason , or use the following gcloud command with the --help flag:
```
 gcloud privateca certificates revoke --help 
```
For more information about the gcloud privateca certificates revoke command, see gcloud privateca certificates revoke .

To revoke a certificate using its serial number, run the following command:

 gcloud privateca certificates revoke \
    --serial-number SERIAL_NUMBER 
\
    --issuer-pool POOL_ID 
\
    --issuer-location ISSUER_LOCATION 
\
    --reason REVOCATION_REASON

Replace the following:

SERIAL_NUMBER : the serial number of the certificate.
POOL_ID : the name of the CA pool that issued the certificate.
ISSUER_LOCATION : the location of the issuing CA pool.
REVOCATION_REASON : the reason for revoking the certificate.

For more information about the gcloud privateca certificates revoke command, see gcloud privateca certificates revoke .

When prompted to confirm, you can do so by entering 'Y':

 You are about to revoke Certificate [projects/ PROJECT_ID 
/locations/ CA_POOL_REGION 
/caPools/ POOL_ID 
/certificates/ CERT_ID 
]

Do you want to continue? (Y/n) Y
Revoked certificate [projects/ PROJECT_ID 
/locations/ CA_POOL_REGION 
/caPools/ POOL_ID 
/certificates/ CERT_ID 
] at DATE_TIME 
.

Go

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 privateca 
  
 "cloud.google.com/go/security/privateca/apiv1" 
  
 "cloud.google.com/go/security/privateca/apiv1/privatecapb" 
 ) 
 // Revoke an issued certificate. Once revoked, the certificate will become invalid 
 // and will expire post its lifetime. 
 func 
  
 revokeCertificate 
 ( 
  
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectId 
  
 string 
 , 
  
 location 
  
 string 
 , 
  
 caPoolId 
  
 string 
 , 
  
 certId 
  
 string 
 ) 
  
 error 
  
 { 
  
 // projectId := "your_project_id" 
  
 // location := "us-central1"		// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. 
  
 // caPoolId := "ca-pool-id"			// The CA Pool id in which the certificate exists. 
  
 // certId := "certificate"			// A unique name for the certificate. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 caClient 
 , 
  
 err 
  
 := 
  
 privateca 
 . 
  NewCertificateAuthorityClient 
 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "NewCertificateAuthorityClient creation failed: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 caClient 
 . 
  Close 
 
 () 
  
 fullCertName 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/%s/caPools/%s/certificates/%s" 
 , 
  
 projectId 
 , 
  
 location 
 , 
  
 caPoolId 
 , 
  
 certId 
 ) 
  
 // Create the RevokeCertificateRequest and specify the appropriate revocation reason. 
  
 // See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#RevokeCertificateRequest. 
  
 req 
  
 := 
  
& privatecapb 
 . 
 RevokeCertificateRequest 
 { 
  
 Name 
 : 
  
 fullCertName 
 , 
  
 Reason 
 : 
  
 privatecapb 
 . 
  RevocationReason_PRIVILEGE_WITHDRAWN 
 
 , 
  
 } 
  
 _ 
 , 
  
 err 
  
 = 
  
 caClient 
 . 
 RevokeCertificate 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "RevokeCertificate failed: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Certificate %s revoked" 
 , 
  
 certId 
 ) 
  
 return 
  
 nil 
 }

Java

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 com.google.api.core. ApiFuture 
 
 ; 
 import 
  
 com.google.cloud.security.privateca.v1. Certificate 
 
 ; 
 import 
  
 com.google.cloud.security.privateca.v1. CertificateAuthorityServiceClient 
 
 ; 
 import 
  
 com.google.cloud.security.privateca.v1. CertificateName 
 
 ; 
 import 
  
 com.google.cloud.security.privateca.v1. RevocationReason 
 
 ; 
 import 
  
 com.google.cloud.security.privateca.v1. RevokeCertificateRequest 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 import 
  
 java.util.concurrent.ExecutionException 
 ; 
 public 
  
 class 
 RevokeCertificate 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 [] 
  
 args 
 ) 
  
 throws 
  
 IOException 
 , 
  
 ExecutionException 
 , 
  
 InterruptedException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 // location: For a list of locations, see: 
  
 // https://cloud.google.com/certificate-authority-service/docs/locations 
  
 // poolId: Id for the CA pool which contains the certificate. 
  
 // certificateName: Name of the certificate to be revoked. 
  
 String 
  
 project 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 location 
  
 = 
  
 "ca-location" 
 ; 
  
 String 
  
 poolId 
  
 = 
  
 "ca-pool-id" 
 ; 
  
 String 
  
 certificateName 
  
 = 
  
 "certificate-name" 
 ; 
  
 revokeCertificate 
 ( 
 project 
 , 
  
 location 
 , 
  
 poolId 
 , 
  
 certificateName 
 ); 
  
 } 
  
 // Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire 
  
 // post its lifetime. 
  
 public 
  
 static 
  
 void 
  
 revokeCertificate 
 ( 
  
 String 
  
 project 
 , 
  
 String 
  
 location 
 , 
  
 String 
  
 poolId 
 , 
  
 String 
  
 certificateName 
 ) 
  
 throws 
  
 IOException 
 , 
  
 ExecutionException 
 , 
  
 InterruptedException 
  
 { 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. After completing all of your requests, call 
  
 // the `certificateAuthorityServiceClient.close()` method on the client to safely 
  
 // clean up any remaining background resources. 
  
 try 
  
 ( 
  CertificateAuthorityServiceClient 
 
  
 certificateAuthorityServiceClient 
  
 = 
  
  CertificateAuthorityServiceClient 
 
 . 
 create 
 ()) 
  
 { 
  
 // Create Certificate Name. 
  
  CertificateName 
 
  
 certificateNameParent 
  
 = 
  
  CertificateName 
 
 . 
 newBuilder 
 () 
  
 . 
 setProject 
 ( 
 project 
 ) 
  
 . 
 setLocation 
 ( 
 location 
 ) 
  
 . 
 setCaPool 
 ( 
 poolId 
 ) 
  
 . 
 setCertificate 
 ( 
 certificateName 
 ) 
  
 . 
 build 
 (); 
  
 // Create Revoke Certificate Request and specify the appropriate revocation reason. 
  
  RevokeCertificateRequest 
 
  
 revokeCertificateRequest 
  
 = 
  
  RevokeCertificateRequest 
 
 . 
 newBuilder 
 () 
  
 . 
 setName 
 ( 
 certificateNameParent 
 . 
  toString 
 
 ()) 
  
 . 
  setReason 
 
 ( 
  RevocationReason 
 
 . 
 PRIVILEGE_WITHDRAWN 
 ) 
  
 . 
 build 
 (); 
  
 // Revoke certificate. 
  
 ApiFuture<Certificate> 
  
 response 
  
 = 
  
 certificateAuthorityServiceClient 
  
 . 
  revokeCertificateCallable 
 
 () 
  
 . 
 futureCall 
 ( 
 revokeCertificateRequest 
 ); 
  
  Certificate 
 
  
 certificateResponse 
  
 = 
  
 response 
 . 
 get 
 (); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "Certificate Revoked: " 
  
 + 
  
 certificateResponse 
 . 
  getName 
 
 ()); 
  
 } 
  
 } 
 }

Python

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 google.cloud.security.privateca_v1 
  
 as 
  
 privateca_v1 
 def 
  
 revoke_certificate 
 ( 
 project_id 
 : 
 str 
 , 
 location 
 : 
 str 
 , 
 ca_pool_name 
 : 
 str 
 , 
 certificate_name 
 : 
 str 
 , 
 ) 
 - 
> None 
 : 
  
 """ 
 Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire post its lifetime. 
 Args: 
 project_id: project ID or project number of the Cloud project you want to use. 
 location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. 
 ca_pool_name: name for the CA pool which contains the certificate. 
 certificate_name: name of the certificate to be revoked. 
 """ 
 caServiceClient 
 = 
 privateca_v1 
 . 
 CertificateAuthorityServiceClient 
 () 
 # Create Certificate Path. 
 certificate_path 
 = 
 caServiceClient 
 . 
 certificate_path 
 ( 
 project_id 
 , 
 location 
 , 
 ca_pool_name 
 , 
 certificate_name 
 ) 
 # Create Revoke Certificate Request and specify the appropriate revocation reason. 
 request 
 = 
 privateca_v1 
 . 
 RevokeCertificateRequest 
 ( 
 name 
 = 
 certificate_path 
 , 
 reason 
 = 
 privateca_v1 
 . 
 RevocationReason 
 . 
 PRIVILEGE_WITHDRAWN 
 ) 
 result 
 = 
 caServiceClient 
 . 
 revoke_certificate 
 ( 
 request 
 = 
 request 
 ) 
 print 
 ( 
 "Certificate revoke result:" 
 , 
 result 
 )

What's next

Learn how to sort and filter certificates .
Learn how to implement a delegated OCSP responder .