About revoking certificates
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
About revoking certificates
Certificate revocation is the process of invalidating a certificate before its scheduled expiration date. Revoking a certificate ensures that it can no longer be trusted or used to establish secure connections.
Next-Gen Trust Security supports certificate revocation for certificates issued by the following supported certificate authorities:
- AWS
- Microsoft AD CS
- Venafi Zero Touch PKI
- DigiCert
- ACMEv2
- Sectigo
- CyberArk Certificate Manager - Self-Hosted
- Google Cloud Certificate Authority Service
- GoDaddy
Understanding certificate revocation in Next-Gen Trust Security
Certificate revocation is a key security control used to reduce risk when a certificate or its associated private key is no longer trustworthy. In Next-Gen Trust Security, revocation allows you to invalidate certificates that should no longer be used, helping prevent unauthorized access and misuse.
Certificates are typically revoked when they are compromised, incorrectly issued, or no longer meet security or operational requirements.
What is certificate revocation?
Certificate revocation is the act of marking a certificate as untrusted by the issuing certificate authority. Once revoked, the certificate can no longer be used to authenticate identities or secure communications.
Common reasons for revoking a certificate include:
- Compromised key pairsIf a private key is exposed or suspected of compromise, the corresponding certificate should be revoked.
- Certificate holder no longer trustedCertificates associated with decommissioned systems or departed personnel should be revoked.
- Policy or compliance changesCertificates that no longer meet updated organizational or security policies might need to be revoked.
How certificate revocation secures your environment
Maintaining valid and trustworthy certificates is essential for securing communications across servers and applications. Revoking certificates that should no longer be trusted helps:
- Reduce security riskRevocation limits the potential impact of compromised or misused certificates.
- Maintain complianceEnsuring only valid certificates are in use supports compliance with security standards and internal policies.
- Preserve trustRevoked certificates are published through certificate revocation mechanisms such as Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responses, allowing clients to verify certificate validity.
By using certificate revocation as part of your security practices, Next-Gen Trust Security helps you maintain control over the certificates that protect your infrastructure.
Next steps
To revoke a certificate, see Revoking a certificate.