Help
Skip Navigation Links.

Revoking CERN CA certificates

Revoking a certificate allows to terminate its usage before its validity period expires.

When a certificate is revoked, it is included in a Certificate Revocation List (CRL) which is distributed by the CERN CA.

Please do not revoke a certificate only to stop receiving expiration reminders. Expiration reminders for a certificate can be turned off from the My User Certificates page.

User certificates

You can revoke your own user certificates in the following cases:

  • The certificate is superseded (i.e. you have a new certificate).
  • The certificate is compromised (security incident).

Superseded certificate: revoke the certificate because it was replaced by a new one.

If you have a new user certificate, you can revoke your old one. Please note, however, that:

  • It is not recommended to revoke an old certificate if you have a new one.
  • The existance of an old certificate is not a security risk.
  • All files and emails encrypted using this certificate will be unrecoverable.
  • This operation is not reversible, and no support can be provided to recover a revoked certificate.

Security reason: revoke the certificate because it was compromised.

You should revoke a certificate for security reasons, i.e. if it is known or suspected that the certificate was compromised.

For example, you should use this option in the following cases:

  • A computer where the certificate was installed was lost or stolen.
  • Smartcard lost or stolen.

How to revoke a user certificate

To revoke your CERN Certification Authority user certificate:

  • Proceed to the My User Certificates page.
  • Select the certificate you need to revoke clicking on the "details" link.
  • Once the certificate details appear, click on the "Revoke certificate" link, and follow the provided instructions.

Host certificates

Host certificates can only be revoked for security reasons.

How to revoke a host certificate

In In order to revoke your CERN Certification Authority host certificate, please address your request to the Service Desk (phone +41 22 76 77777 or service-desk@cern.ch), specifying:

  • The security reason why the certificate should be revoked.
  • The serial number of the certificate to revoke.

If you don't have access to your certificate and cannot determine its serial number, please specify its start or expiration date, the CERN account name that was used to request it, and the name of the machine to which the certificate was issued.

How to determine a certificate serial number

To get the serial number of your certificate you can execute the following openssl command:

openssl x509 -in CERTIFICATE_FILE -serial -noout

If the certificate was embedded into a certificate store, you can also check its properties using your browser:

  • Internet Explorer: Tools -> Internet Options -> Content -> Certificates
  • Firefox: Tools -> Options -> Advanced -> Encryption -> View certificates -> Your Certificates
  • Chrome: Settings -> Show advanced settings... -> HTTPS/SSL -> Manage certificates... -> Personal
  • For other browsers, please check the appropriate settings.

Created: 10/12/2015
Last reviewed: 5/19/2017
Tools:
Send the page Send  |  Printable version Print