OK, now we assume that our certificate is compromised. We suppose that you have a certificate with serial number 01. Certificate was valid. You can see this if you see V in /etc/pki/CA/index.txt. We will do revocation with /etc/pki/CA/newcerts/01.pem

[root@security1 dovecot]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem

If we look in content of index.txt file we will see that it is now R (revoked). Now you need to create a file which will indicate that certificate was revoken.

[root@security1 dovecot]# echo 00 > /etc/pki/CA/crlnumber

Now you need to build an up-to-date certificate revocation list.

[root@security1 dovecot]# cd /etc/pki/CA/crl
[root@security1 crl]# openssl ca -gencrl -out certificate.crl

If you want to make certificate readable by Firefox, you should do next:

[root@security1 crl]# openssl crl -in certificate.crl -outform DER -out certificate-der.crl

You should distribute your certificate-der.crl