Certificate revoke steps


#1

hi,

i used the command below to revoke the certificate.

letsencrypt revoke -d example.com --cert-path /etc/letsencrypt/live/examplecom/cert.pem

it just fell back to command line. does it mean it’s done?

i am checking the domain from crt.sh. it doesn’t seem it is revoked.


#2

crt.sh is a log monitor, a reporter on historical facts about which certificates were logged. Let’s Encrypt automatically logs every certificate it issues, so your certificate (with the example.com domain name) will appear in crt.sh forever.

Revoking the certificate doesn’t change the fact that it was issued. All that happens when you ask for revocation is that Let’s Encrypt changes the Certificate Status reported by its OCSP responder to say revoked for that certificate. Systems which check OCSP will notice some time within the refresh period of OCSP, several days.

You should ask Let’s Encrypt to revoke if you believe your private key may have been compromised, or if the certificate should never have been issued (e.g. an administrator got the cert without permission at your company trying to be helpful, that’s happened at Facebook) but otherwise in most scenarios there’s no need to revoke, just let the old certificates expire naturally.

I’m intrigued as to why users feel they “ought” to revoke, and also, why they expect revoking to make things vanish off crt.sh as I have seen this idea more than once now.


#3

If you really want to watch to see a third party confirm that your certificate is revoked you can use

https://certificate.revocationcheck.com/ with either a site URL (if for some reason you’ve left a site live despite wanting to revoke the certificate it uses) or the certificate details.


#4

thank you for explanation. then i think i will leave it as it is to be expired. i plan to delete my vps server instance, i guess i messed up. and will build from scratch. and when i delete the vps server instance those pems will be erased.

that is why before deleting my instance, i just want to make sure that this certificates doesn’t haunt me like a ghost.

“ought” to revoke: i can’t talk about the other users. For me, revoke means erasing my mistake i have done. I though it would be vanished because i am one member of “instant delete expecting generation”. in my keychains, in various situations, i press a document, an image, a word, it is deleted. so that is why. Former experiences.


#5

i checked the second link, there it is shown as revoked. thanks for this link as well.


#6

So in essence you revoked the cert, but the letsencrypt client didn’t give you any information what so ever about it? That’s kinda strange… :scream:

Hmm, the revoke code is quite sublime indeed:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.