Can a revoked certificate be re-instated?

The only option to unrevoke is when certificate is revoked with certificateHold reason (§5.3.1 in RFC5280). In all other cases the certificate (and the key) must be re-created.


You create a new one. Usually is easier to issue a new certificate than to unrevoke a revoked one.


TL;DR: It's not permitted; it's not technically impossible.

Assuming you're not talking about a certificate that's been held, it would be against the rules for a certificate, once revoked, to be unrevoked.

If you ask a CA to unrevoke a revoked certificate, they should refuse, and they'll probably tell you it's impossible.

However, if you websearch, you may find stories of CA's unrevoking certificates.

They shouldn't, but it (apparently) does happen.

A CA is, ultimately, a database containing a lot of certificates, and metadata about the status of each one, including whether or not it has been revoked.

At regular or irregular intervals, the CA parses that database and produces a CRL - a list of revoked certificates.

If your certificate is on that list, it's revoked. (Not that clients always check the list, but that's a different issue.)

If the database gets changed to remove the record of the certificate being revoked, then the next time the list of revoked certificates is produced, the certificate won't be one it. In effect, the certificate will have been unrevoked.

This should NEVER happen. But it's not technically impossible.

See, for example, https://hackernoon.com/godaddy-revoked-and-then-un-revoked-a-certificate-without-request-11f86074bbf8