This feature is part of VTEX Shield. If you're already a VTEX client and would like to adopt VTEX Shield for your business, contact our Commercial Support. Additional fees may apply. If you're not yet a VTEX client but are interested in this solution, complete our contact form.

For security reasons, when using mTLS, you may need to revoke previously issued certificates if they're compromised or no longer needed. VTEX provides a DELETE Revoke certificate endpoint, which allows you to revoke a certificate using its serial number.

This guide provides step-by-step instructions for revoking certificates using this endpoint.

To revoke a certificate, you first need to retrieve its serial number, which uniquely identifies the certificate issued by VTEX’s Certificate Authority. This information is embedded in the certificate (.crt) file and can be extracted using OpenSSL.

There are two ways to extract the serial number, depending on how you intend to format the value in the revocation request. The VTEX API accepts both formats.

Open a terminal and use the command below to extract the serial number in a plain hexadecimal format:

Example output:

Alternatively, you can use the command below to extract the serial number with colon separators:

Example output:

Send a revocation request to the DELETE Revoke certificate endpoint, including the certificate's serial number in the URL. Both serial number formats shown in the Step 1 - Getting the certificate serial number section are accepted.

The user or application must have the following License Manager resource to make this call. Otherwise, a 403 status code error will be returned.

There are no predefined roles for these resources. To use this endpoint, you must create a custom role and add the above resource. Learn more about platform resources and roles in the Roles documentation.

Using an authentication cookie:

Using API keys:

Learn more in the DELETE Revoke certificate API reference.