Revoke an issued certificate

Log on to the system as a Certification Authority Administrator or Certificate Manager.
Open Certification Authority.
In the console tree, click Issued Certificates
Where?
- Certification Authority (Computer)
- CA name
- Issued Certificates
In the details pane, click the certificate you want to revoke.
On the Action menu, point to All Tasks, and click Revoke Certificate.
Select the reason for revoking the certificate and click Yes.

Notes

XOX
The certificate is marked as revoked and is moved to the Revoked Certificates folder. The revoked certificate will appear on the certificate revocation list (CRL) the next time it is published.

Certificates revoked with the reason code "Certificate Hold" can be unrevoked, left on "Certificate Hold" until they expire, or have their revocation reason code changed. "Certificate Hold" is the only revocation reason that will allow you to unrevoke the certificate. It is useful if the status of the certificate is questionable and is meant to provide some flexibility to the CA administrator.

To unrevoke a certificate revoked with the reason code "Certificate Hold," at a command prompt on the CA, type

certutil -revoke CertificateSerialNumber unrevoke

To identify the certificate serial number, in the Revoked Certificates folder, in the details pane, double-click the revoked certificate, and then click the Details tab.

To change the reason code for a certificate previously revoked with the reason code "Certificate Hold," type the appropriate command at a command prompt on the CA.

New reason code	Command
Unspecified	certutil -revoke CertificateSerialNumber 0
Key Compromise	certutil -revoke CertificateSerialNumber 1
CA Compromise	certutil -revoke CertificateSerialNumber 2
Affiliation Changed	certutil -revoke CertificateSerialNumber 3
Superseded	certutil -revoke CertificateSerialNumber 4
Cessation of Operation	certutil -revoke CertificateSerialNumber 5

You can also unrevoke a certificate in the Certification Authority by right-clicking the certificate you want, clicking All Tasks, then clicking Unrevoke Certificate. This certificate must be revoked for the reason of "Certificate Hold".

Open Command Prompt.
Type:
certutil -revoke SerialNumber ReasonCode

Value	Description
revoke	Specifies the revocation of an existing certificate.
SerialNumber	Specifies the serial number of the certificate for revocation.
ReasonCode	Specifies the reason code for this certificate revocation. For values, see Notes.

Notes

XOX
To view the complete syntax for this command, at a command prompt, type:

certutil -revoke -?
The valid reason codes for certificate revocation are:

Reason for
revoking a certificate Reason code

Unspecified 0

Key Compromise 1

CA Compromise 2

Affiliation Changed 3

Superseded 4

Cessation of Operation 5

Certificate Hold 6
Certificates that are revoked with the reason code "Certificate Hold" can be unrevoked, left on "Certificate Hold" until they expire, or have their revocation reason code changed. "Certificate Hold" is the only revocation reason that will allow you to unrevoke the certificate. It is useful if the status of the certificate is questionable and is meant to provide some flexibility to the CA administrator.
To unrevoke a certificate that is revoked with the reason code "Certificate Hold," at a command prompt on the CA, type

certutil -revoke CertificateSerialNumber unrevoke