Revocation reason (#4987)

* fix revocation reason help text

* add it to the docs

* move and expand revoke reason example

2 files changed, 9 insertions, 2 deletions

diff --git a/certbot/cli.py b/certbot/cli.py
index 7135f7600..e8b825a91 100644
--- a/certbot/cli.py
+++ b/certbot/cli.py
@@ -1156,9 +1156,10 @@ def _create_subparsers(helpful):
                 " Currently --csr only works with the 'certonly' subcommand.")
     helpful.add("revoke",
                 "--reason", dest="reason",
-                choices=CaseInsensitiveList(constants.REVOCATION_REASONS.keys()),
+                choices=CaseInsensitiveList(sorted(constants.REVOCATION_REASONS,
+                                                   key=constants.REVOCATION_REASONS.get)),
                 action=_EncodeReasonAction, default=0,
-                help="Specify reason for revoking certificate.")
+                help="Specify reason for revoking certificate. (default: unspecified)")
     helpful.add("rollback",
                 "--checkpoints", type=int, metavar="N",
                 default=flag_default("rollback_checkpoints"),
diff --git a/docs/using.rst b/docs/using.rst
index aae8efbf2..8d9a22847 100644
--- a/docs/using.rst
+++ b/docs/using.rst
@@ -383,6 +383,12 @@ use the ``revoke`` command to do so. Note that the ``revoke`` command takes the
 
   certbot revoke --cert-path /etc/letsencrypt/live/CERTNAME/cert.pem
 
+You can also specify the reason for revoking your certificate by using the ``reason`` flag.
+Reasons include ``unspecified`` which is the default, as well as ``keycompromise``,
+``affiliationchanged``, ``superseded``, and ``cessationofoperation``::
+
+  certbot revoke --cert-path /etc/letsencrypt/live/CERTNAME/cert.pem --reason keycompromise
+
 Additionally, if a certificate
 is a test certificate obtained via the ``--staging`` or ``--test-cert`` flag, that flag must be passed to the
 ``revoke`` subcommand.