Menu
AWS Certificate Manager Private Certificate Authority
AWS Private Certificate Authority Documentation (API Version 2017-08-22)

RevokeCertificate

Revokes a certificate that you issued by calling the IssueCertificate operation. If you enable a certificate revocation list (CRL) when you create or update your private CA, information about the revoked certificates will be included in the CRL. ACM PCA writes the CRL to an S3 bucket that you specify. For more information about revocation, see the CrlConfiguration structure. ACM PCA also writes revocation information to the audit report. For more information, see CreateCertificateAuthorityAuditReport.

Request Syntax

{ "CertificateAuthorityArn": "string", "CertificateSerial": "string", "RevocationReason": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

CertificateAuthorityArn

Amazon Resource Name (ARN) of the private CA that issued the certificate to be revoked. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

Type: String

Length Constraints: Minimum length of 5. Maximum length of 200.

Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=/,.@-]+)*

Required: Yes

CertificateSerial

Serial number of the certificate to be revoked. This must be in hexadecimal format. You can retrieve the serial number by calling GetCertificate with the Amazon Resource Name (ARN) of the certificate you want and the ARN of your private CA. The GetCertificate operation retrieves the certificate in the PEM format. You can use the following OpenSSL command to list the certificate in text format and copy the hexadecimal serial number.

openssl x509 -in file_path -text -noout

You can also copy the serial number from the console or use the DescribeCertificate operation in the AWS Certificate Manager API Reference.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 128.

Required: Yes

RevocationReason

Specifies why you revoked the certificate.

Type: String

Valid Values: UNSPECIFIED | KEY_COMPROMISE | CERTIFICATE_AUTHORITY_COMPROMISE | AFFILIATION_CHANGED | SUPERSEDED | CESSATION_OF_OPERATION | PRIVILEGE_WITHDRAWN | A_A_COMPROMISE

Required: Yes

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

Errors

For information about the errors that are common to all actions, see Common Errors.

ConcurrentModificationException

A previous update to your private CA is still ongoing.

HTTP Status Code: 400

InvalidArnException

The requested Amazon Resource Name (ARN) does not refer to an existing resource.

HTTP Status Code: 400

InvalidStateException

The private CA is in a state during which a report cannot be generated.

HTTP Status Code: 400

RequestAlreadyProcessedException

Your request has already been completed.

HTTP Status Code: 400

RequestFailedException

The request has failed for an unspecified reason.

HTTP Status Code: 400

RequestInProgressException

Your request is already in progress.

HTTP Status Code: 400

ResourceNotFoundException

A resource such as a private CA, S3 bucket, certificate, or audit report cannot be found.

HTTP Status Code: 400

Examples

Example

Sample Request

POST / HTTP/1.1 Host: acm-pca.amazonaws.com Accept-Encoding: identity Content-Length: 238 X-Amz-Target: ACMPrivateCA.RevokeCertificate X-Amz-Date: 20180226T200035Z User-Agent: aws-cli/1.14.28 Python/2.7.9 Windows/8 botocore/1.8.32 Content-Type: application/x-amz-json-1.1 Authorization: AWS4-HMAC-SHA256 Credential=AWS_Access_Key_ID/20180226/AWS_Region/acm-pca/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=ab19c4301eb2e8e9f188f3d478cb1d5a28bfb41de3d54b5006c0738d411cfd86 { "CertificateSerial": "e8:cb:d2:be:db:12:23:29:f9:77:06:bc:fe:c9:90:f8", "RevocationReason": "KEY_COMPROMISE", "CertificateAuthorityArn": "arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012" }

Example

Sample Response

This function does not return a value.

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: