diff --git a/certificates.py b/certificates.py
index 58104069b04dfea635dd866a95522a8d34e4e653..8b23e40bdefa416e574e71744c90196c31bb2280 100644
--- a/certificates.py
+++ b/certificates.py
@@ -123,11 +123,17 @@ def revoke_certificate(cn: str):
     :param cn: CN (common name) identifying the certificate
     """
     _check_cn(cn)
-    raise NotImplementedError
-    # cmd = [{EASYRSA}, "TODO", cn]
-    # result = subprocess.run(cmd, env=EASYRSA_ENV, stderr=subprocess.PIPE)
-    # if result.returncode != 0:
-    #     raise CertError(f"Can't revoke the certificate for '{cn}': {result.stderr[:500]}")
+    # Revoke the certificate
+    cmd = [EASYRSA, "revoke", cn]
+    result = subprocess.run(cmd, env=EASYRSA_ENV, stderr=subprocess.PIPE)
+    if result.returncode != 0:
+        raise CertError(f"Can't revoke the certificate for '{cn}': {result.stderr[:500]}")
+    # Refresh the CRL list
+    cmd = [EASYRSA, "gen-crl"]
+    result = subprocess.run(cmd, env=EASYRSA_ENV, stderr=subprocess.PIPE)
+    if result.returncode != 0:
+        raise CertError(f"Certificate revoked, but there was an error during generating CRL: {result.stderr[:500]}")
+    # TODO check that Keycloak really looks into the CRL during user authentication
 
 
 def get_pem_files(cn: str):
diff --git a/main.py b/main.py
index 21c8cdb3f0a87677e8c2518b81d0816853c0fb7d..9a5f2644c64793767f179e8b35c1fd8c9f309659 100644
--- a/main.py
+++ b/main.py
@@ -374,8 +374,6 @@ def add_user():
         try:
             certificates.generate_certificate(user.cn)
             flash(f'Certificate for user "{user.username}" was successfully created.', "success")
-
-
         except certificates.CertError as e:
             flash(str(e), "error")
             return redirect_to_main_page() # don't continue creating user accounts in services
@@ -531,12 +529,16 @@ def delete_user(username: str):
         flash(f"Error: Can't get user info from KeyCloak: {e}", "error")
         return redirect_to_main_page()
 
-    # TODO revoke certificate
+    try:
+        certificates.revoke_certificate(user_spec.cn)
+        flash(f'Certificate for "{user_spec.cn}" revoked.', "success")
+    except certificates.CertError as e:
+        flash(f"Error: {e}", "error")
 
     # Keycloak
     try:
         kc_delete_user(user_spec.kcid)
-        flash('User successfully deleted from KeyCloak.', "success")
+        flash(f'User "{user_spec.username}" successfully deleted from KeyCloak.', "success")
     except KeycloakError as e:
         flash(f'Error when deleting user from KeyCloak: {e}', "error")