SECURING


Revoking a certificate

A CA administrator can easily revoke an Internet certificate -- for example, if the subject of the certificate leaves the organization, or if the key has been compromised. After a certificate is revoked, it can never again be trusted.

About this task

If you revoke a certificate, especially if a key has been compromised, issue an immediate CRL so that any entity checking CRLs has the most updated revocation information.

Procedure

1. From the Domino® Administrator, click Files. Open the ICL directory.

2. From the list of ICL databases, open the ICL for the certifier that issued the certificate you need to revoke.

3. Open the Issued Certificates -> By Subject Name view.

4. Open the Issued Certificate document for the certificate you want to revoke. The document name is the same as the subject name.

5. Click Revoke Certificate.

6. In the Revocation Reason dialog box, select the reason for revoking the certificate, and click OK. This sends a revocation request to the Administration Requests database.

7. Once you have made sure that the certifier has processed the revocation request and revoked the certificate, issue an immediate (non-regular) CRL.

Results

The next time the CA process refreshes, the Issued Certificate document will be updated to indicate that the certificate has been revoked. When you open the Issued Certificate document again, the Revocation Information section will indicate that the certificate has been revoked, the revocation date and time, the reason for the certificate's revocation, and date and time the certificate became invalid.

Related concepts
Domino server-based certification authority

Related tasks
Modifying a server-based CA

Related reference
Certificate Authority process tell commands

Related information
Domino server-based certification authority