Revoking certificate authority personal certificates
We can revoke CA certificates from a certificate authority (CA). Revoke personal certificates that are no longer being used in our configuration.
Use the requestCACertificate command to create a personal certificate with the requestCACertificate task before we can request that the certificate authority revoke the certificate. Certificates created with the requestCACertificate command have an associated reference object in the configuration that we can use to submit the certificate revocation request to the certificate authority.
This topic uses the revokeCACertificate command to submit a request to revoke a certificate on the certificate authority. We can only revoke a certificate that was created with the requestCACertificate command. Specify the revocation password that was provided when the certificate was created. Use the same password to revoke the certificate on the certificate authority.
- Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
- Determine the CA personal certificate to revoke.
Use the listPersonalCertificates command to view a list of all personal certificates and associated attributes for a specific keystore:
AdminTask.listPersonalCertificates('-keyStoreName CellDefaultKeyStore')
The command returns an attribute list for each personal certificate, including CA personal certificates. CA personal certificates only return the status attribute. We can revoke each CA personal certificates that returns a COMPLETE status. Determine which CA personal certificate to revoke.
- Revoke a CA personal certificate.
Use the revokeCACertificate command to revoke the CA personal certificate of interest. Specify the name of the keystore, certificate alias, and revocation password using the following parameters:
Parameter Description Data Type -keyStoreName Name of the keystore where the CA personal certificate is stored. The value of this field is not a path to the keystore file. String -certificateAlias Unique name identifying CA personal certificate object and the alias name of the certificate in the keystore. String -revocationPassword Password needed to revoke the certificate. This is the same password that was provided when the certificate was created. String We can specify additional information with the following optional parameters:
Parameter Description Data Type -keyStoreScope Management scope of the keystore. For a dmgr profile, the system uses the cell scope as the default value. For an application server profile, the system uses the node scope as the default value. To obtain a list of the keystore scope values, see the listManagementScopes command, which is part of the ManagementScopeCommands command group. String -revocationReason Reason for revoking the certificate of interest. The default value for this parameter is unspecified. String The following example revokes a CA personal certificate:
AdminTask.revokeCACertificate('[-keyStoreName CellDefaultKeyStore -certificateAlias myCertificate -revocationPassword pw4revoke]')
- Save the configuration changes.
Use the following command example to save the configuration changes:
AdminConfig.save()
Related tasks
Configure certificate authority client objects Create certificate authority (CA) personal certificates Administer certificate authority clients Start the wsadmin scripting client
CAClientCommands (AdminTask) PersonalCertificateCommands (AdminTask) ManagementScopeCommands (AdminTask)