How can I revoke my ACM public certificate?

Last updated: 2022-06-24

How can I revoke an AWS Certificate Manager (ACM) public certificate?

Short description

If you no longer need your ACM public certificate, you can delete the certificate. If you need to revoke your ACM public certificate for compliance reasons, AWS Support can do this on your behalf. Important: Revoked ACM public certificates can't be used again with the same serial number.

Resolution

Submit a request to AWS Support to revoke the public certificate

Follow the instructions to create a support case in the Support Center of the AWS Management Console.

For emailed validated certificates, an email that looks similar to the following is sent to three registered addresses in WHOIS and the five common domain name addresses:

Amazon Trust Services has been requested to revoke the following
certificate. If you requested this revocation, please respond to this
email with I approve.

Domain: <DOMAIN>
AWS account ID: <AWS Account ID>
AWS Region name: <REGION>
Certificate identifier: <CERTIFICATE IDENTIFIER>

Sincerely,

Amazon Trust Services

For DNS validated certificates, you might be contacted by AWS Support to add a unique TXT record in the DNS database to verify domain ownership.

After receiving the requested information and domain ownership is confirmed, AWS Support revokes the public certificate.

Verify that the ACM public certificate is revoked with OpenSSL

Note: If you receive errors when running OpenSSL commands, make sure that you’re using the most recent OpenSSL version.

1.    Get the certificate file information for your domain and save the output to a .pem file:

$ openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > example.pem

2.    Check if the certificate has an Online Certificate Status Protocol (OCSP) URI:

$ openssl x509 -noout -ocsp_uri -in example.pem

Output:
http://ocsp.rootca1.amazontrust.com

3.    Capture the certificate chain:

$ openssl s_client -connect example.com:443 -showcerts 2>&1 < /dev/null

4.    Save the .pem file.

5.    Send an OCSP request similar to the following:

openssl ocsp -issuer chain.pem -cert example.pem -url http://ocsp.rootca1.amazontrust.com

Output:
Response verify OK
example.pem: revoked
This Update: Apr 9 03:02:45 2014 GMT
Next Update: Apr 10 03:02:45 2014 GMT
Revocation Time: Mar 25 15:45:55 2014 GMT

In the output, note that the response is revoked.


Did this article help?


Do you need billing or technical support?