Revoking certificate authority personal certificates using wsadmin


We can revoke CA certificates from a certificate authority (CA). Revoke personal certificates that are no longer being used in the configuration.

Use the requestCACertificate command to create a personal certificate with the requestCACertificate task before we can request that the certificate authority revoke the certificate. Certificates created with the requestCACertificate command have an associated reference object in the configuration that we can use to submit the certificate revocation request to the certificate authority.

This page uses the revokeCACertificate command to submit a request to revoke a certificate on the certificate authority. You can only revoke a certificate created with the requestCACertificate command. Specify the revocation password that was provided when the certificate was created. Use the same password to revoke the certificate on the certificate authority.

 

  1. Launch wsadmin using Jython.

  2. Determine the CA personal certificate to revoke. Use the listPersonalCertificates command to view a list of all personal certificates and associated attributes for a specific keystore, as the following example demonstrates:

    AdminTask.listPersonalCertificates('-keyStoreName CellDefaultKeyStore')

    The command returns an attribute list for each personal certificate, including CA personal certificates. CA personal certificates only return the status attribute. We can revoke each CA personal certificates that returns a COMPLETE status. Determine which CA personal certificate to revoke.

  3. Revoke a CA personal certificate. Use the revokeCACertificate command to revoke the CA personal certificate of interest. Specify the name of the keystore, certificate alias, and revocation password using the following parameters:


    Table 1. Required parameters

    Parameter Description Data Type
    -keyStoreName Name of the keystore where the CA personal certificate is stored. String
    -certificateAlias Unique name that identifies the CA personal certificate object and the alias name of the certificate in the keystore. String
    -revocationPassword needed to revoke the certificate. This is the same password that was provided when the certificate was created. String

    We can specify additional information with the following optional parameters:


    Table 2. Optional parameters

    Parameter Description Data Type
    -keyStoreScope Management scope of the keystore. For a dmgr profile, the system uses the cell scope as the default value. For an appserver profile, the system uses the node scope as the default value. String
    -revocationReason Reason for revoking the certificate of interest. The default value for this parameter is unspecified. String

    The following example revokes a CA personal certificate:

    AdminTask.revokeCACertificate('[-keyStoreName CellDefaultKeyStore -certificateAlias myCertificate -revocationPassword pw4revoke]')

  4. Save the configuration changes...

    AdminConfig.save()

 

Related tasks


Set certificate authority client objects using wsadmin
Create certificate authority (CA) personal certificates using wsadmin
Administer certificate authority clients using wsadmin

 

Related


CAClientCommands
PersonalCertificateCommands