Revocation and creating new cert with existing key

Hi, I mistakenly revoked a certificate thinking it was the way to delete an erroneous ssl setup.
I was using Let’s Encrypt win simple. There is nothing wrong with my existing key and it is still secure.
Can I create a new certificate and still use my existing private key?
Or will the revocation cause all new certs made with this private key to be red flagged as suspicious?
Thanks for your help!

Only the certificate in question has been revoked. I am not aware of any restrictions on the private key of that certificate, although it would make sense that the key should also be denied usage after the revocation.

As there is no reason in your case to not reuse the key, you might give it a go and generate a new certificate with it.
If it doesn’t work, you can always generate a new key.


I believe the revocation request includes a reason code; if the reason was “key compromise” then in principle the CA should blacklist that key (because someone in possession of the key told the CA that it had been compromised!). But I’m not sure if such a blacklist is implemented in Boulder.

Cc @jsha

1 Like

Thanks Osiris and schoen! I used Win Simple and it didn’t ask me for any reason when I chose the revoke option. Is there any way for me to find out whether it gave a reason/what reason it gave?

I looked very quickly at some of the specs and code and it looks to me like probably no reason is provided, which means the CA won’t have been told what the reason was.

1 Like

If no reason is given is it safe for me to try to create a new cert using my original key? Or would it just be better/safer to go ahead and make a new private key?

I don’t see any reason that you can’t try it!

Do you have any reason not to use a new key?

It’s mostly because I already used up a chunk of my rate limit with all my trial and error attempts, so I don’t have very many tries left before I hit the limit. So I wanted to ask first before trying in case I get it wrong and have to wait another week before I can try again.

The rate limit for failed attempts only lasts for an hour, not a week.

@mnordhoff no, I am just unfamiliar with the Windows Server environment and SSL so I was hoping I wouldn’t have to try to figure out how to make a new key on top of trying to figure out how to fix my current mess :joy:

at present win simple won’t let me create a new key - it keeps re-using the old revoked cert in the cache, but i think the attempts i made to create a new cert/renew have counted towards my rate limit total, so i don’t have many tries left.

@schoen my attempts to create a new cert succeeded! but win simple said it was using the cached cert instead (i am not sure where that cache is hidden) so i keep getting stuck with the old revoked copy :sweat_smile:

right now it says i have one cert which is due to be renewed in march, but it is the old revoked one. i tried to renew twice (don’t know if that counted against my total) and twice it reused the cached one.

Sounds like something you might ask or report to the developers of win-simple.

Thanks Osiris! Yes I’ll be asking them about the specific cache problem. I just wanted to ask a general question here about the private key as I don’t know how the key stuff works or how one is created, and whether it would affect any new cert I made because of the revocation.

I thought the key was created by Windows and had no clue how to have it make a new one, but maybe win-simple can make a new key for me automatically?

Update for anyone who may have a similar problem in future: the re-using of the cached revoked cert has been marked as a bug, so this will hopefully be fixed in future versions of win-simple. Workarounds include deleting the files in the cache folder or using the --forcerenewal option.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.