How can I revoke my ACM public certificate?
Last updated: 2022-06-24
How can I revoke an AWS Certificate Manager (ACM) public certificate?
If you no longer need your ACM public certificate, you can delete the certificate. If you need to revoke your ACM public certificate for compliance reasons, AWS Support can do this on your behalf. Important: Revoked ACM public certificates can't be used again with the same serial number.
Submit a request to AWS Support to revoke the public certificate
Follow the instructions to create a support case in the Support Center of the AWS Management Console.
For emailed validated certificates, an email that looks similar to the following is sent to three registered addresses in WHOIS and the five common domain name addresses:
Amazon Trust Services has been requested to revoke the following certificate. If you requested this revocation, please respond to this email with I approve. Domain: <DOMAIN> AWS account ID: <AWS Account ID> AWS Region name: <REGION> Certificate identifier: <CERTIFICATE IDENTIFIER> Sincerely, Amazon Trust Services
For DNS validated certificates, you might be contacted by AWS Support to add a unique TXT record in the DNS database to verify domain ownership.
After receiving the requested information and domain ownership is confirmed, AWS Support revokes the public certificate.
Verify that the ACM public certificate is revoked with OpenSSL
Note: If you receive errors when running OpenSSL commands, make sure that you’re using the most recent OpenSSL version.
1. Get the certificate file information for your domain and save the output to a .pem file:
$ openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > example.pem
2. Check if the certificate has an Online Certificate Status Protocol (OCSP) URI:
$ openssl x509 -noout -ocsp_uri -in example.pem Output: http://ocsp.rootca1.amazontrust.com
3. Capture the certificate chain:
$ openssl s_client -connect example.com:443 -showcerts 2>&1 < /dev/null
4. Save the .pem file.
5. Send an OCSP request similar to the following:
openssl ocsp -issuer chain.pem -cert example.pem -url http://ocsp.rootca1.amazontrust.com Output: Response verify OK example.pem: revoked This Update: Apr 9 03:02:45 2014 GMT Next Update: Apr 10 03:02:45 2014 GMT Revocation Time: Mar 25 15:45:55 2014 GMT
In the output, note that the response is revoked.