How can I revoke my ACM public certificate?

2 minute read

How can I revoke an AWS Certificate Manager (ACM) public certificate?

Short description

If you no longer need your ACM public certificate, you can delete the certificate. If you need to revoke your ACM public certificate for compliance reasons, AWS Support can do this on your behalf. Important: Revoked ACM public certificates can't be used again with the same serial number.


Submit a request to AWS Support to revoke the public certificate

Follow the instructions to create a support case in the Support Center of the AWS Management Console.

For emailed validated certificates, an email that looks similar to the following is sent to three registered addresses in WHOIS and the five common domain name addresses:

Amazon Trust Services has been requested to revoke the following
certificate. If you requested this revocation, please respond to this
email with I approve.

Domain: <DOMAIN>
AWS account ID: <AWS Account ID>
AWS Region name: <REGION>
Certificate identifier: <CERTIFICATE IDENTIFIER>


Amazon Trust Services

For DNS validated certificates, you might be contacted by AWS Support to add a unique TXT record in the DNS database to verify domain ownership.

After receiving the requested information and domain ownership is confirmed, AWS Support revokes the public certificate.

Verify that the ACM public certificate is revoked with OpenSSL

Note: If you receive errors when running OpenSSL commands, make sure that you’re using the most recent OpenSSL version.

1.    Get the certificate file information for your domain and save the output to a .pem file:

$ openssl s_client -connect 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > example.pem

2.    Check if the certificate has an Online Certificate Status Protocol (OCSP) URI:

$ openssl x509 -noout -ocsp_uri -in example.pem


3.    Capture the certificate chain:

$ openssl s_client -connect -showcerts 2>&1 < /dev/null

4.    Save the .pem file.

5.    Send an OCSP request similar to the following:

openssl ocsp -issuer chain.pem -cert example.pem -url

Response verify OK
example.pem: revoked
This Update: Apr 9 03:02:45 2014 GMT
Next Update: Apr 10 03:02:45 2014 GMT
Revocation Time: Mar 25 15:45:55 2014 GMT

In the output, note that the response is revoked.

Related information

Best practices

AWS OFFICIALUpdated 2 years ago
No comments