Certificate Revocation List

Akeyless enables you to proactively revoke certificates before their scheduled expiration date and seamlessly add them to a Certificate Revocation List (CRL), ensuring enhanced security and trust in your certificate management process.

Note: To revoke a certificate, you will need an encryption key with a self-signed certificate as the Signer Key of the PKI Cert Issuer. You can either create a new encryption key or import one. This key has to have the following configuration:

countryName= US
stateOrProvinceName= NY
localityName= NY
organizationName= Akeyless
organizationalUnitName= Security
commonName= akeylessSign

[ v3_req ]
basicConstraints        = critical, CA:TRUE
keyUsage                = critical, digitalSignature, cRLSign, keyCertSign
certificate_lifetime    = 20

Once the key is created, add it to the PKI Cert Issuer as described below.


PKI Cert Issuer Settings

In this guide, we are only configuring the certificate issuer to revoke certificates. Additional settings that can be applied to the issuer can be found here.

Configure the Certificate Issuer to revoke certificates

To create a PKI Cert Issuer that can revoke certificates, follow these steps:

  1. Go to Items > New > PKI Cert Issuer
  2. Define a Name of the cert issuer, and specify the Location as a path to the virtual folder where you want to create it, using slash / separators. If the folder does not exist, it will be created together with the cert issuer.
  3. Enter the Signer Key that was created/imported earlier.
  4. Enable the Store Issued Certificates option and specify a path to where the generated certificates will be located.
  5. Select Public and/or Private CRL option:
  • Public CRL: Expose a public CRL endpoint
  • Private CRL: Expose a CRL endpoint in the Gateway

This configuration will enable the Issuer to revoke certificates.

Revoke a certificate using the Akeyless CLI

To revoke a certificate from the CLI, run the following command:

akeyless revoke-certificate --name <Certificate name> --version <Certificate version>


  • name: The certificate's full name. Alternatively, it can be provided using item-id.
  • version: Certificate version to revoke.

Upon successful revocation, the certificate status will be changed from Valid to Revoked.

You can find the complete list of parameters for this command in the CLI-Reference-Certificates section.

Revoke a certificate using the Akeyless Console

To revoke a certificate from the console:

  1. Log in to the Akeyless Console, go to Items, and find the certificate you wish to revoke.
  2. Click on the Certificate, open the Action Menu (three dots), and click Revoke.

Revocation List

Once the certificate is revoked, it is added to the Certificate Revocation List.

To view the Certificate Revocation List, follow these steps:

  • Choose a Certificate Item and scroll down to View Certificate Details.
  • Scroll down to CRL Distribution points, where the CRL Endpoints will be listed.
  • Open your browser and paste that URL.



A single Certificate Issuer generates a consistent Certificate Revocation List (CRL) for all its issued certificates. Therefore, any certificate from that issuer can be used to access the common CRL Endpoint.