Certificate Revocation

It is sometimes necessary to prevent certificates from being used before their regular expiration date. Since an actively used certificate was potentially occupied onto countless computers, certificates cannot simply be deleted. Instead, certificates are revoked. These certificates are stored on central revocation lists or revocation servers of the CA provider. Clients such as Outlook and Thunderbird use these to regularly check whether certificates are still valid.

Warning

Revocations cannot be reverted! It is therefore important to exercise appropriate caution when revoking certificates.

The revocation status of a certificate has no influence on its cryptographic use. As long as you are in possession of the matching private key, it will still be possible to decrypt encrypted emails for revoked certificates in the future. The following therefore also applies here: never delete certificates for which you still have or expect encrypted e-mails.

Revoke certificates at KIT

Unfortunately, there is currently no self-service for certificate revocation.

To revoke certificates, have an authorized person send a signed e-mail to ca@kit.edu with a subject of Bitte Zertifikat(e) sperren, listing all certificates to be revoked in the mail body. Please specify one of the associated e-mail addresses and the serial number for each certificate. You can find these either in the certificate store of your operating system (certmgr.msc on Windows and Keychain management in macOS) or in the Certificate search of the KIT-CA.

An authorized person is either the original requester or an appropriate IT officer (ITB). In the case of function certificates, all persons who have access to the relevant mailbox also qualify.