Most small business owners will never think about this until the day something goes wrong. Then, suddenly, it matters enormously. If your private key has leaked, if a developer who has left still has your server credentials, or if your certificate was issued with the wrong details on it, you need to revoke an SSL certificate and you need to do it today, not next week.
Revocation is the emergency brake of website security. It tells the world that a certificate which is technically still within its valid dates should no longer be trusted. Here is what it means, when to pull it, and how to do it without taking your website down in the process.
Revoking a certificate is cancelling a promise early
Every SSL certificate is a signed statement from a Certificate Authority saying, in effect, “we have checked, and whoever holds the matching private key really does control this domain”. That statement has an expiry date built in. Revocation is what happens when the statement stops being true before the expiry date arrives.
When you revoke, the Certificate Authority adds your certificate to a public list of certificates that should no longer be trusted. Browsers can check that list, see your certificate on it, and refuse to accept it even though the dates still look fine.
The key insight, and it is the one that trips people up: revoking does not delete the certificate, and it does not automatically fix your website. It invalidates the old certificate. You still need to install a fresh one, generated with a brand new private key. Revoke and replace, in that order, and preferably within the same hour.

When you genuinely need to revoke
Revocation is not routine housekeeping. You do not revoke a certificate simply because it is old, or because you are switching hosts, or because you fancy a tidy-up. Here are the situations that actually warrant it:
- Your private key has been exposed: the big one. If the key file has been committed to a public code repository, emailed around, left on a compromised server, or copied onto a laptop that was stolen, assume it is in the wild and revoke immediately.
- Your server has been hacked: if an attacker had root or administrator access, they could have taken a copy of the key. Treat it as exposed even if you cannot prove they took it.
- A member of staff or contractor has left on bad terms: if they had access to the key and you cannot be confident it was not copied, revoking is the cautious call.
- The certificate has wrong information on it: a misspelt company name, an incorrect domain, or details that no longer match your legal entity after a rebrand or company restructure.
- You no longer own the domain: if you have sold a domain or let it go, a certificate for it should not remain valid in your name.
- The Certificate Authority made an error: occasionally a CA discovers it issued certificates it should not have, and it will revoke them itself, sometimes at very short notice.
If you are reading that list and one of them describes your week, stop reading and go and do it. The article will still be here.
How to revoke an SSL certificate, step by step
Step one: get the replacement ready first
This is the bit people skip and then regret. The moment revocation propagates, your site will start throwing security warnings to visitors. So generate a brand new private key and a new Certificate Signing Request before you revoke anything, and have the replacement certificate issued and ready to install. Then the outage is measured in minutes rather than days.
Do not reuse the old key. If you are revoking because the key was compromised, reusing it defeats the entire exercise.
Step two: find where the certificate lives
Log in to whoever issued it: your web host’s control panel, your domain registrar, or the certificate provider directly. Look for a section called SSL, Security, or Certificates. If you cannot work out who issued it, click the padlock on your live site and view the certificate details; the issuer’s name is right there.
Step three: request the revocation
Most providers offer a revoke button in the control panel. Some require you to raise a support ticket, and they will ask you to confirm your identity and state a reason (key compromise, affiliation changed, cessation of operation, and so on). For free Let’s Encrypt certificates, revocation is done through your ACME client, typically with a revoke command; if your host manages that for you, ask them to do it.
Step four: install the new certificate immediately
Install the replacement, including the full chain with any intermediate certificate, and restart the web server so it picks up the new files. Then check the site loads cleanly in a private browsing window.
Step five: hunt down every copy of the old key
Revocation is pointless if the compromised key is still sitting on a backup server, in a code repository, or in a shared drive. Delete every copy you can find. Rotate any other credentials the attacker might have picked up at the same time: server passwords, database passwords, API keys, admin logins.
Step six: verify the revocation actually took
Run an online SSL checker against your domain and confirm it is serving the new certificate with a new serial number and a new expiry date. If you have the old certificate details, check that it now shows as revoked.
Revocation, renewal and reissue are three different things
These get muddled constantly, and choosing the wrong one wastes time you may not have. Here is the plain-English difference:
- Renewal: your certificate is approaching its expiry date and you are extending it. Routine, planned, no drama. This is what most people mean when they say they need to sort their certificate out.
- Reissue: you need a fresh certificate for the same domain, usually because you have changed servers or generated a new key, but nothing has been compromised. The old one is typically left to expire quietly.
- Revocation: the old certificate must be actively distrusted, right now, because something has gone wrong. This is the emergency option.
Renewal is a diary entry. Revocation is an incident.
The awkward truth about how well revocation works
We would be doing you a disservice if we pretended revocation is a perfect safety net, because it is not, and understanding why changes how you should think about your response.
For a browser to know your certificate has been revoked, it has to check with the Certificate Authority. That check can be slow, and it can fail. Historically, when the check failed, many browsers simply carried on and accepted the certificate anyway, on the grounds that breaking every website whenever a revocation server had a wobble would be worse. Browser makers have improved this considerably with pushed revocation lists and other mechanisms, but coverage is still not universal, and older or unusual clients may never check at all.
The practical implication is important. Revoke, absolutely, because it is the correct thing to do and it does protect a lot of your visitors. But do not treat revocation as though it magically undoes a key compromise. Assume the compromised key may still be usable against some visitors, and act accordingly: rotate everything, investigate how the breach happened, and close the hole.
Best practices that keep you out of this situation
- Never email a private key: not to your developer, not to your host, not to yourself. If a key has been emailed, treat it as public.
- Keep keys out of code repositories: the single most common way keys leak is being committed to a repository that later becomes public. Check your repositories today.
- Restrict who can access the server: the fewer people with root access, the fewer people who could walk off with a key.
- Rotate credentials when people leave: build it into your offboarding, alongside the email account and the door key.
- Use short-lived, automated certificates: a certificate that renews itself every sixty days limits the damage window dramatically, and it means a fresh key can be generated routinely rather than as an emergency.
- Own your own hosting account: if your certificate lives in a freelancer’s personal account, you cannot revoke it at three in the morning.
- Know who to ring: write down your host’s emergency support process before you need it.
Common mistakes when revoking
Revoking before the replacement is ready, and taking the site down for two days while the new certificate is validated. Prepare first, revoke second.
Reusing the compromised private key for the new certificate. Astonishingly common, and it makes the whole exercise theatre.
Revoking the certificate but leaving the attacker’s access in place. The certificate is a symptom; the breach is the disease. Change every password and key on that server.
Assuming revocation is instant and universal. It propagates, and some clients never check. Plan on that basis.
Where this is all heading
The industry has broadly concluded that revocation is a weak mechanism, and the answer is shorter certificate lifetimes. If a certificate only lives for a matter of weeks, a compromised key has a small window of usefulness and expiry does the job that revocation struggled to do reliably. Maximum certificate lifetimes have been coming down steadily for years and the expectation is that they will keep falling.
For a small business, the upshot is happily simple: get onto short-lived, automatically renewing certificates managed by a competent host, and the whole revocation question becomes far less frightening.
Does revoking an SSL certificate take my website offline?
Effectively, yes, until you install a replacement. Visitors will see a security warning, because the certificate your server is presenting is no longer trusted. That is exactly why you prepare the new certificate before you revoke the old one.
How long does revocation take to work?
The Certificate Authority usually processes the request within minutes, but propagation to browsers depends on how they check revocation status and how recently they refreshed their lists. Treat it as “quickly, but not instantly, and not everywhere”.
Can I get a refund when I revoke a paid certificate?
Sometimes, depending on the provider and how long ago you bought it, but do not let a possible refund slow down an urgent revocation. Deal with the security problem, then ask about the money.
Do I need to revoke if I am just moving to a new host?
No. Moving hosts is a reissue, not a revocation. Get a new certificate on the new server and let the old one expire, unless the key was exposed during the move.
What if I cannot reach my certificate provider?
Ring them rather than emailing, and if you are with a host that has no emergency support route when your keys are compromised, that tells you something worth knowing about your host.
Your SSL revocation checklist
- Confirm you actually need to revoke: key compromise, server breach, wrong details, or lost domain. Not a routine renewal.
- Generate a new private key: brand new, never the old one.
- Get the replacement certificate ready: issued and waiting before you revoke.
- Revoke through the issuer: control panel button, support ticket, or ACME client command.
- Install the new certificate and full chain: then restart the web server.
- Destroy every copy of the old key: backups, repositories, laptops, shared drives.
- Rotate all other credentials: server, database, admin, API keys.
- Verify with an SSL checker: new serial number, clean chain, no warnings.
- Work out how it leaked: and close that door properly.
Contact Us
If you have landed on this page because something has gone wrong today, take a breath; this is fixable, and it is fixable faster with someone who has done it before sitting next to you. And if you are reading it out of prudent curiosity, even better, because the businesses that handle a key compromise calmly are the ones that thought about it beforehand.
Delivered Social looks after websites, hosting and security for small businesses across the UK. If you need to revoke an SSL certificate, or you simply want someone to check that your site is set up so you never have to, get in touch with the team and we will take a proper look.


































