How to revoke certificate after losing key

We have a domain that is using Cloudflare but the SSL cert seems to be generated via Lets Encrypt by previous admin who left the organisation and we have no way of obtaining the private key for the certificate. We need the key because we are setting up a Guest Wifi and the cert needs to be uploaded to our firewall for it to be trusted.

How can we revoke or ressiue the key? I need to know answers for both.


Welcome to the Let's Encrypt Community :slightly_smiling_face:

You can't reissue a private key. You can recover a private key that is marked for deletion but undamaged.

You can revoke a certificate in several ways depending upon the reason for revocation. Has its private key been compromised (shared with an untrusted party)?


None of your question is really making much sense to me. If you're just using the site on Cloudflare, then you wouldn't need the private key at all. And if you're running the site, then either Cloudflare is maintaining the key for you (and you don't need access to it since they're handling the encryption), or you have control of the server (and thus should have the private key already on it). Are you moving this site to some other server? If so, you can just create a new certificate on the new server and not worry about the old one at all.

All of that to say, I think you need to give a lot more details in order for people here to help you. Usually anything that you might need to load onto a firewall wouldn't be related to a specific 90-day site certificate.


We have a captive portal on our Guest wifi and we were planning to use an SSL certificate for it. We issued one through Cloudflare and uploaded this in the Firewall along with the CA root Certificate of Cloudflare but when the captive portal is launched we got an SSL certificate trust error.

According to the instructions we were given in order for the Certificate to be trusted we need to have it imported into the Firewall along with the root CA certificate.

One thing we noted if we look at the certificate that is being used on the portal it is issued by Lets Ecrypt. When we go into the Cloudflare portal we can also see this as active. Presuming this is the reason why we get a certificate error? Hence why we thought to revoke the cert from Lets Encrypt.

1 Like

You uploaded cloudflare origin certificate: cloudflare break TLS connection on their server and certificate you got from CF is just for between your server and cloudflare, nobody else will trust it. and only cloudflare has private key for that certificate, even your last admin won't have key for that.
get a new set of certificate fresh and import that to firewall.


Its not been compromised but we are getting a certificate trust error on the captive portal where it is being used.

sorry get a new certificate from where? its seems the domain is taking the certificate from LetsEncrypt. Even if we generate a new certificate it is make no difference. we want to remove the association with LetsEncrypt.

if i browse to it gives me a non trusted LetsEncrypt cert I want to dissociate that but not clear on how too. I can see the LetsEncrypt certificate active in Cloudflare under Edge Certificate settings

My aim is to have a Guest Wifi portal with an SSL cert.

The problem I seem to have right now is that if I browse to the the domain it presents an untrusted certificate error and the certificate is from LetsEncrypt. I just want to know how to revoke the LetsEncrypt certificate.

the certificate you were given from cloudflare is not LE certificate, it's which only cloudflare issued, and only they will trust. they keep hole priveate key of actuall LE certificate, and won't give it to you. as your captive portal capture it and doesn't pass to cloudflare, client will this origin certificate and won't trust it.

you have orange one here,


Hold on.
There exists the possibility that CloudFlare has issued an LE cert for your domain, and it is being used on their servers (on your behalf).
That said, if there exists a valid cert anywhere on your web server system (wherever it came from is irrelevant), the admin of that web server must be able to find it and provide it to your firewall person.


Please post the certificate you are seeing so that we can address this properly. It only contains public information, so posting it won't affect your security. I suspect that @orangepizza and @rg305 have the right idea.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.