Symantec Encryption Management Server (PGP Server) has the ability to mange PGP keys and ensure they are all properly updated.  There are limits to what the PGP server can do depending on the keymode--these limitations are not limitations of the server itself, but rather what an entity has authorization to do with a PGP key and what information is available, such as a keypair.

In the scenario of Revoking keys, this is a non-trivial task.  Revoking a key means you would no longer like to have anyone encrypt to the key.  When a key is revoked, it can still be used to decrypt content, but further encryption to these keys will not be possible.  If you have a need to revoke a key, you can do so with some caveats.

If you would like to revoke a PGP Key on the PGP server, you can do so fully if the keymode is SKM.  The reason for this is the PGP server has access to the full Keypair as well as the passphrase. 

If you have a GKM, CKM, or SCKM key, then the only portion of the key that you can revoke is the signature that the Organization Key makes on each of the keys that it manages.

Revoking the key signature does not require modifying the key itself, as signatures can be placed on any key with only a public portion.

In order to fully revoke a key, you must have the keypair, and know the passphrase of the key. 

SCKM is a special keymode in which the signing portion is not on the server, and due to this, also behaves like a GKM or CKM key.

If you would like to revoke a GKM, CKM, or SCKM key, you must have the end user do so, as they are the only ones who have full ownership of the keys.  Once they revoke the key, have them update the key to the server and update policy, and then they can reset their key (If messaging is enabled).

EPG-27138