How to revoke a GPG Key and upload in GPG server?

Solution 1:

This a summary of the steps for revoking, based on the article GPG: Revoking your public key and notifiying key-server. The following assumes that the key server is pgp.mit.edu.

List keys

gpg --list-keys

Revoke your key

gpg --output revoke.asc --gen-revoke key-ID

Import revocation certificate into your keyring

gpg --import revoke.asc

Search your key on the key-server

gpg --keyserver pgp.mit.edu --search-keys key-ID

Send the revoked key to the key-server

gpg --keyserver pgp.mit.edu --send-keys key-ID

Solution 2:

As far as I know, if key is compromised then i can revoke the key using revocation certificate.

Yes, but as long as you have the actual private key (f it's compromised but not destroyed), you can always use it to revoke itself. That is, it can always generate new revocation certificates "on the fly".

Instead, the pre-generated revocation certificate exists for situations when the private key is completely lost, not merely when it's compromised. It's something to store on a USB stick at a friend's house.

(Of course, you should always keep a backup of the private key off-site as well. But the big difference is that a backup of the private key is much more sensitive, since if stolen it can be used to do anything under your name, whereas the 'revocation certificate' can only be used to do one very specific thing.)

Can someone suggest me how to revoke my key with revocation certificate?

It should be enough to import the revcert into your PGP keyring – it is essentially just a key signature ("self-certification" in GnuPG) that attaches to your main public key in the exact same way as you can have other people sign your key and import those signatures.

As soon as it is imported, the program should show the key as revoked and you should publish the updated public key in standard locations (keyserver, etc.)

Also one more doubt is, after revoking keys should I upload at any GPG Key server?

Yes, you should. Publishing keys (and updates to keys) is what keyservers are for.

if uploading in key server is not required then how my customer can check key is revoked or not?

You can manually (re-)export the revoked key to a file and give it to them directly (or publish it on Keybase or your website – if you expect the customer to re-check it daily...) But they're certainly not going to magically know what happens inside your computer. That's why keyservers exist.