How do I revoke the certificate with my server, which uses IIS on Windows Server 2012 R2?


#1

I got a LetsEncrypt certificate working for my site on my IIS Windows Server 2012 R2 server.
I used ACMESharp to get it working ( https://github.com/ebekker/ACMESHarp/wiki/Example-Usage ) which uses Powershell commands.

However, I now need to revoke the certificate and I’m not sure how. There is no tutorial for this on the ACMESharp wiki.

Please help if you can.


#2

Bump…? I’m hoping that this has an answer =(


#3

You really need to ask on the ACMESharp pages ( which is probably why you haven’t got an answer here)

From a quick look at the code though, it doesn’t look as if it has the functionality in it to revoke a cert ( it does have part of the code though).

If the developers of ACMESharp aren’t going to fix that, then you would need to use a different client to revoke the cert - which could be done as long as you have the private key for it.

Alternatively, when is the certificate valid until ? if it’s close to expiry it will expire soon anyway.


#4

Based on screenshots I took from when I was signing up, http://i.imgur.com/UqQ0VWn.png It looks like there are 2 expiration dates? One of which has already passed in February 22 2016 (I signed up on February 15 2016), and one which is going to pass on December 2016.

Do you know how this impacts my case? I am new to certificate stuff so I feel like I am reading everything in Greek!


#5

It looks as if your certificates have already expired ( they are only valid for 90 days).

Try searching for your domain at https://www.google.com/transparencyreport/https/ct/ or https://crt.sh/ which should give you the dates that your certificates were valid for

Alternatively, provide your domain name, and I’ll take a look.

Can I ask the silly question - Why do you want to revoke the certificate ?


#6

Thank you for the help and resources.

Strange… When I look it up on the Google page you provided me, it says Valid From “Feb 15, 2016” and Valid To “May 15, 2016”. That makes more sense (I remember hearing about each certificate lasting 3 months), but I don’t know what those other expiration dates signified. I can still provide the domain name if it helps further.

I want to revoke the certificate because… (Cue Long Story) When I signed up for the LetsEncrypt certificate on my Windows Server, I did it using ACMESharp. The command I used to specify my URL to LetsEncrypt when signing up was: New-ACMEIdentifier -Dns example.com -Alias example.com_Alias

But what I didn’t know is that, apparently, I also needed to include the www version of my URL when signing up. Because when the LetsEncrypt certificate was validated, https://example.com worked, but https://www.example.com did not (notice the www).

So I guess I should have done New-ACMEIdentifier -Dns website.com www.website.com -Alias website.com_Alias www.website.com_Alias
although I’m still not sure if that command will actually work

But anyway, I wanted to revoke my original certificate so that I could try that command.
Another option I might have is creating an entirely new certificate for just the www version of my URL? But I tried that, and the process got stuck on the validation for some reason.

Do you have any suggestions on what I should do?


#7

You don’t need to revoke the old certificate to generate a new one.

I’d just generate a new certificate ( including both the www. and non-www domain ) which should be fine.

There is a limit of 5 certificates per domain name per 7 days - however you don’t look to be anywhere near that limit.

Do you have any error message or anything from when it got stuck ? I have never used ACMESharp - but the error messages may give a clue


#8

I tried to make a new certificate using the command:

New-ACMEIdentifier -Dns example.com www.example.com -Alias example.com_Alias www.example.com_Alias

instead of

New-ACMEIdentifier -Dns example.com -Alias example.com_Alias

but the former doesn’t work, unfortunately. I tried a few other ways like:

New-ACMEIdentifier -Dns truetwin.com,www.truetwin.com -Alias truetwin.com_Alias,www.truetwin.com_Alias

but ultimately I’m guessing ACMESharp doesn’t allow you to sign up for www and non-www under the same certificate. Do you think it work to do a new certificate for just the www version, so that I’d essentially have 2 separate certificates for the www and non-www version of my site?

I think that is what I actually tried before, which caused the error, which is surprisingly still on my PowerShell for reference: http://i.imgur.com/M8UPOjG.png I guess the Challenge portion fails.


#9

You can’t have 2 different certs for the same site, you need to have one, with both names on it. I don’t know exactly how to do that with ACMESharp I’m afraid - as it’s a client I haven’t used.

I’d have suspected you needed

New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs dns2,dns3,dns4 -Alias multiNameCert