Keys remain after revoking a certificate

I'm testing the revoke command with the --delete-after-revoke option.

After running the revoke the live and renewals directory are both empty as expected.

My question relates to the keys directory.

After running the revoke I see that that I still have a key file:


I would have expected the revoke command to remove this file.

Am I doing something wrong or should this file exist after running revoke?

certbot --version
certbot 1.7.0

Ubuntu 20.10


certbot certonly --dns-cloudflare --dns-cloudflare-credentials /tmp/cloudflare/settings.ini -m -d --agree-tos --manual-public-ip-logging-ok --non-interactive --work-dir=/tmp/etc/letsencrypt/work --config-dir=/tmp/etc/letsencrypt/config --logs-dir=/tmp/etc/letsencrypt/logs --staging

certbot revoke --cert-path /tmp/etc/letsencrypt/config/live/ --non-interactive -m null --agree-tos --work-dir=/tmp/etc/letsencrypt/work --config-dir=/tmp/etc/letsencrypt/config --logs-dir=/tmp/etc/letsencrypt/logs --delete-after-revoke --staging

1 Like

Yes, --delete-after-revoke is only intended to delete the certificate lineage from /etc/letsencrypt/{archive,live,renewal}/ as a convenience, since it has no practical use after revocation, unless you want to go on to renew it.

The files written to csr/ and keys/ are not tracked by Certbot. Those directories are a sort of forensic archive and there is a plan/idea to deprecate them entirely: Deprecate /etc/letsencrypt/{keys,csr} · Issue #4634 · certbot/certbot · GitHub



It really doesn't help that the certbot user guide has contradictory information:

If your account key has been compromised or you otherwise need to revoke a certificate, use the revoke command to do so. Note that the revoke command takes the certificate path (ending in cert.pem), not a certificate name or domain.


revoke Revoke a certificate (supply --cert-name or --cert-path)



Revoke a certificate specified with --cert-path or --cert-name

Additionally, why is revoke a "command" and delete a "subcommand"?


You might want to heed this:

Once a certificate is revoked (or for other certificate management tasks), all of a certificate’s relevant files can be removed from the system with the delete subcommand:

certbot delete --cert-name

and this:


There's no need to continually use account-registration parameters:

-m --agree-tos

This is obsolete:


1 Like

So it's safe to delete csr/ and keys/ at any time?

1 Like

Only since 1.10.0, OP is still on 1.7.0.

It is safe to delete the contents of these directories, yes.

I wouldn't delete the directory itself, something bad will probably happen.

I'll rewrite it, thanks.


Thanks, @_az. :slightly_smiling_face: I might have to take Brad up on that overhaul of the user guide once I finally have adequate time.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.