Introduction

A revoked SSL certificate is different from an expired one. The certificate is no longer trusted because the certificate authority has actively invalidated it before its original expiry date. Browsers, API clients, or enterprise proxies may reject the site until you replace the revoked certificate and fix the reason it was revoked in the first place.

Symptoms

  • Browsers or clients report that the certificate has been revoked
  • HTTPS worked recently but now fails even though the certificate date range looks valid
  • The problem affects only one hostname, load balancer, or edge service
  • SSL scanners show revocation warnings for the current leaf certificate
  • The issue began after key exposure, certificate reissue attempts, or CA account changes

Common Causes

  • The private key was exposed and the CA revoked the affected certificate
  • The certificate was replaced in one layer but an older revoked copy is still deployed elsewhere
  • Automated renewal issued a new certificate, but traffic still terminates on the revoked one
  • A CA validation or account issue forced revocation of the previous certificate
  • Middleboxes or proxies cache an outdated certificate chain presentation

Step-by-Step Fix

  1. Confirm which exact certificate serial number is being served on the failing hostname so you do not replace the wrong asset.
  2. Check your certificate authority or management platform to verify the revocation reason and whether a replacement certificate already exists.
  3. Deploy a fresh valid certificate and matching private key to every TLS termination point, including CDN, load balancer, reverse proxy, and origin if applicable.
  4. Review certificate bundles and server config to make sure the new certificate chain is complete and actually active after reload.
  5. Remove old revoked certificate files, secret references, or automation pointers so the stack does not roll back to the invalid cert on restart.
  6. If revocation happened because of suspected key exposure, rotate the private key pair and limit access to the new key material.
  7. Clear CDN or proxy SSL state if that platform caches certificate configuration separately from the origin.
  8. Retest with a browser and an external SSL checker to confirm the served certificate serial number matches the new valid deployment.
  9. Audit your renewal and secret-handling process so revoked certificates are replaced quickly and key exposure is less likely to happen again.