Retired Certificates Cannot be Rediscovered or Re-imported

How to:

Re-discover or re-import previously retired or deleted certificates.

Applies to:

Venafi as a Service


A certificate was previously discovered and/or imported. The certificate was later retired and deleted from the system. Now, when trying to to import/discover the certificate again, via the UI or API, it is being 'ignored' and not appearing in the certificate inventory.


The most likely cause for this behavior is that the option Do not rediscover was selected when the certificate was originally retired.


When this option is selected, all future discoveries will ignore the target certificate should it be included in a future discovery or a manual import process.


If it is desired to re-add the certificate to inventory, the certificate must be removed from the Do not rediscover list. There are two options for removing the certificate from the list.

  • Use the UI to clear the entire block list. This option removes ALL certificates from the block list.
  • Use the APIs. This option allows selectively identifying certificates to override the block list.

Using the UI to Clear the Block List

Using the UI to clear the block list will remove all certificates from the block list. There is no ability with this option to selectively identify certificates to unblock. Therefore any and all certificates previously removed in this manner may reappear in certificate inventory during future discovery or import operations.

  1. Log into Venafi as a Service with a PKI Admin or Admin level user.
  2. Go to Settings | Platform >> Discovery.
  3. Click Clear List.
  4. Allow discovery to run or perform your import operation again to allow the certificate to be re-added to inventory.

Using the API to Override a Blocked Certificate

When manually importing a certificate via API, it is possible to override the block list on a per-certificate basis.

  1. Follow these steps in the Venafi as a Service documentation, here:
  2. Note the overrideBlocklist value at the bottom of the JSON body in step 4 and set its value to true. Setting the value as false or omitting the value will cause the certificate to continue to be ignored.
Was this article helpful?
0 out of 0 found this helpful