Documentation

Certificate Revocation List

Akeyless enables you to proactively revoke certificates before their scheduled expiration date and seamlessly add them to a Certificate Revocation List (CRL), ensuring enhanced security and trust in your certificate management process. Each PKI Cert Issuer generates a consistent Certificate Revocation List (CRL) for all its issued certificates. In addition, Akeyless supports the Online Certificate Status Protocol (OCSP), providing real-time certificate status verification to further strengthen your PKI security and streamline revocation checking.

ℹ️

Note:

Your PKI Issuer Signer Key must be set with the keyusage:critical,cRLSign extension to maintain a CRL and support self-signed certificate revocation.

Revoke a Certificate Using the Akeyless CLI

To revoke a certificate with the CLI, run the following command:

akeyless revoke-certificate \
--name <Certificate name> \
--version <Certificate version>

Where:

  • name: The certificate's full name. Alternatively, it can be provided using item-id.
  • version: Certificate version to revoke.

Upon successful revocation, the certificate status will change from Valid to Revoked.

You can find the complete list of parameters for this command in the CLI-Reference-Certificates section.

Revoke a Certificate Using the Akeyless Console

To revoke a certificate from the console:

  1. Log in to the Akeyless Console, go to Items, and find the certificate you wish to revoke.
  2. Click on the Certificate, open the Action Menu (three dots), and click Revoke.

Revocation List

Once the certificate is revoked, it is added to the Certificate Revocation List. The CRL is updated automatically when a certificate is revoked using either the CLI command or the console — no manual CRL refresh step is required. For each issuer the following formats are maintaining the revocation list when applicable:

Public CRL at: https://vault.akeyless.io/crl/<account-id>/<cert-issuer-display-id>.

Private CRL endpoint on the Gateway at https://<gatewayURL>:8000/crl/<cert-issuer-display-id>.

Public OCSP at: https://vault.akeyless.io/ocsp/<account-id>/<cert-issuer-display-id>.

Private OCSP endpoint on the Gateway at https://<gatewayURL>:8000/ocsp/<cert-issuer-display-id>.

ℹ️

Note:

OCSP support is optional. Applications that do not implement OCSP can rely on CRL-based revocation checking alone. Both mechanisms reflect the same revocation state; you do not need to implement OCSP unless your environment or compliance requirements specifically call for it.

To view any existing Certificate Revocation List information on a Certificate Item click the View Certificate Details and scroll down to CRL Distribution points, where the CRL Endpoints will be listed.

Updated 9 days ago

Footer Section