There are generally two ways of revoking a certificate: via certificate serial number or by passing certificate and key directly. The command would look something like:
# Serial step ca revoke 107114196650443109012396058201150902110 # Cert/Key Pair step ca revoke --cert my.crt --key my.key
However, OIDC provisioners can only use the latter of the two methods. If you try to use an OIDC provisioner to revoke a certificate by serial number, you will see something similar to the following error:
% step ca revoke 237819302016837325077515135179740029114 ✔ Provisioner: authority-admin (OIDC) [client: 0cca8885-3c94-4b15-aac5-a44cd659e92b] Your default web browser has been opened to visit: https://auth.smallstep.com/oidc/.../...zaJ9IMYHm token subject '9cd91b2a-4283-45eb-a325-956f0bae7d9e' and serial number '237819302016837325077515135179740029114' do not match
Passing the certificate and key show a successful revocation:
% step ca revoke --cert my.crt --key my.key ✔ CA: https://....ca.smallstep.com Certificate with Serial Number 237819302016837325077515135179740029114 has been revoked.
If you would like to revoke a certificate by serial number, you will have to use a different provisioner type.