Skip to main content

Revoking Access

Teleport's approach to using short-lived certificates for all infrastructure access means that it can generate large numbers of certificates every day. For this reason, Teleport does not support traditional certificate revocation.

There are two options available for revoking access: CA rotations and Teleport locks.

CA rotations

To generate a new certificate authority and invalidate user certificates issued by the current CA, run tctl auth rotate --type=user. This process will require that the newly generated CA certificate is uploaded to your entire fleet of OpenSSH servers. This can be a disruptive change, especially in environments that lack automation, so proceed with caution.

See the CA rotations guide for more details on how to execute the procedure.

Locks

Teleport locks allow you to permanently or temporarily revoke access to a number of different "targets". Supported lock targets include: specific users, roles, servers, desktops, or MFA devices. After you create a lock, all existing sessions where the lock applies are terminated and new sessions are rejected while the lock remains in force.

For more information, read our Session and Identity Locking Guide.