Should I revoke no longer used Let's Encrypt certificates before destroying them?

This is a subjective Cost vs Risk decision. We can't make it for you, but I can help you examine the factors involved.


To you: the effort of revoking the cert. If you have to do this manually, that's annoying, but if you can script it up in 10 mins and add it to your CloudFormation plays, then why not? As @Hildred points out, this also advertises that your server has been decommissioned, which could be considered a privacy / security issue depending on how much you care.

To LetsEncrypt: They need to handle the revocation request, which is not a particularly heavy request. Each revoked cert adds a line to their CRLs, slightly higher bandwidth costs to transmit the CRLs, and slight performance penalty to their OCSP responders that need to search the CRLs. But it's certainly not a burden since the system is literally designed for this.


If an attacker finds out that you terminate your VMs without revoking the cert, can they use that to their advantage? A rogue admin (either yours or amazon's) could pull the cert and key from the VM as it is being terminated and you'd be none the wiser. Is that likely or any bigger of a threat than pulling it from a live system? Probably not.

So really, we're dealing with a very small cost vs a very small risk. Your choice. Thanks for asking the question though, neat to think about!

Revocation is not necessary, from a security point of view, if the private key is not compromised.

Unnecessary revocation will add a little load to the Let's Encrypt infrastructure but not much:

One possibility you overlooked is to generate a revocation but not publish until needed. It does put a slight load on your infrastructure but hides the takedown of the machine, and has a revocation available if needed.