Certificate Revoking and Certificate Deletion
- Certificate Revoking and Certificate Deletion
With certbot (letsencrypt), and with certificates in general, it is important to think of the full lifecycle of the certificate. Often, folks feel that as long as they have provisioned and installed a certificate, their task is done.
However, remember a certificate is a special identity with special powers. So you need to ensure that you delete, revoke, or otherwise disable the use of your certificate, once you no longer need it.
Why Revoke Certificates?
What would you do if you misplaced your private key? Not a problem – you can create a new key pair and request a new cert. But what about the certs that are already requested using the public key of the private key that you just lost?
The solution is to revoke the certificate.
revoke cert = use case = lost my private key
delete cert = use case = no longer own the domain
Why Delete Certificates (e.g. if you no longer own one or more of the domains in the certificate)?
What would happen if your domain was now in someone else’s hands?
certbot delete –server –cert-name
certbot revoke –server –delete-after-revoke –cert-name
certbot revoke –server –no-delete-after-revoke –cert-name
still leaves files in /live and /renewal and /archive – I believe it is related to renewal timer
rm -rf /etc/letsencrypt/live/${DOMAIN}
rm -rf /etc/letsencrypt/renewal/${DOMAIN}.conf
rm -rf /etc/letsencrypt/archive/${DOMAIN}
sudo ./certbot-auto delete
Leave a Reply