acumen/revoke_certificate

Revoke certificates issued through ACME.

Once revoked, a certificate appears on Certificate Revocation Lists (CRLs).

Example

import acumen
import acumen/revoke_certificate

// Build the revocation request with the DER-encoded certificate
let rev = revoke_certificate.request(cert_der_bytes)
  |> revoke_certificate.reason(revoke_certificate.KeyCompromise)

// Execute the request
let assert Ok(#(resp, ctx)) = acumen.execute(
  ctx,
  build: revoke_certificate.build(rev, _, registered_key),
  send: httpc.send,
)

// Parse the response
let assert Ok(Nil) = revoke_certificate.response(resp)

Types

RequestBuilder

opaque </>

Request builder for certificate revocation.

Use request to create a builder with the DER-encoded certificate, optionally configure it with reason, then call build.

pub opaque type RequestBuilder

RevocationReason

</>

Reason codes for certificate revocation as defined in RFC 5280.

Not all reason codes are commonly used. The most common are:

Unspecified: No specific reason given
KeyCompromise: The certificate’s private key was compromised
Superseded: The certificate has been replaced by a newer one
CessationOfOperation: The certificate is no longer needed

pub type RevocationReason {
  Unspecified
  KeyCompromise
  CaCompromise
  AffiliationChanged
  Superseded
  CessationOfOperation
  CertificateHold
  RemoveFromCrl
  PrivilegeWithdrawn
  AaCompromise
}

Constructors

```
Unspecified
```
No specific reason given (code 0)
```
KeyCompromise
```
The certificate’s private key was compromised (code 1)
```
CaCompromise
```
The CA’s private key was compromised (code 2)
```
AffiliationChanged
```
The certificate holder’s affiliation changed (code 3)
```
Superseded
```
The certificate has been replaced (code 4)
```
CessationOfOperation
```
The certificate is no longer needed (code 5)
```
CertificateHold
```
The certificate is temporarily on hold (code 6)
```
RemoveFromCrl
```
Remove the certificate from a CRL (code 8)
```
PrivilegeWithdrawn
```
Privileges were withdrawn (code 9)
```
AaCompromise
```
The attribute authority was compromised (code 10)

Values

build

</>

pub fn build(
  builder: RequestBuilder,
  context: acumen.Context,
  key: acumen.RegisteredKey,
) -> Result(request.Request(String), acumen.AcmeError)

Builds a signed revocation request to the revokeCert endpoint.

build_with_certificate_key

</>

pub fn build_with_certificate_key(
  builder: RequestBuilder,
  context: acumen.Context,
  key key: gose.Key(String),
) -> Result(request.Request(String), acumen.AcmeError)

Signs the revocation request with the certificate’s private key instead of the account key. Useful when account access is unavailable, such as during incident response.

Example

import acumen
import acumen/revoke_certificate
import gose/key

let assert Ok(cert_private_key) = key.from_pem(cert_key_pem)

let req = revoke_certificate.request(cert_der_bytes)
  |> revoke_certificate.reason(revoke_certificate.KeyCompromise)

let assert Ok(#(resp, ctx)) = acumen.execute(
  ctx,
  build: revoke_certificate.build_with_certificate_key(
    req,
    _,
    key: cert_private_key,
  ),
  send: httpc.send,
)

let assert Ok(Nil) = revoke_certificate.response(resp)

reason

</>

pub fn reason(
  builder: RequestBuilder,
  revocation_reason: RevocationReason,
) -> RequestBuilder

Sets the revocation reason. Optional but recommended.

request

</>

pub fn request(certificate_der: BitArray) -> RequestBuilder

Creates a new revocation request builder with the given DER-encoded certificate.

response

</>

pub fn response(
  resp: response.Response(String),
) -> Result(Nil, acumen.AcmeError)

Parses the revocation response. Empty body on success.