diff --git a/client/foundries_pki.go b/client/foundries_pki.go
index 7c10e593..342a812b 100644
--- a/client/foundries_pki.go
+++ b/client/foundries_pki.go
@@ -16,7 +16,8 @@ type CaCerts struct {
 	EstCrt  string `json:"est-tls-crt,omitempty"`
 	TlsCrt  string `json:"tls-crt,omitempty"`
 
-	CaRevokeCrl string `json:"ca-revoke-crl,omitempty"`
+	CaRevokeCrl string   `json:"ca-revoke-crl,omitempty"`
+	CaDisabled  []string `json:"disabled-ca-serials,omitempty"` // readonly
 
 	ChangeMeta ChangeMeta `json:"change-meta"`
 }
diff --git a/subcommands/keys/ca_show.go b/subcommands/keys/ca_show.go
index 0fe876fd..2f27e7ab 100644
--- a/subcommands/keys/ca_show.go
+++ b/subcommands/keys/ca_show.go
@@ -58,6 +58,7 @@ func doShowCA(cmd *cobra.Command, args []string) {
 			printOneCert(resp.TlsCrt)
 		case justShowCas:
 			printOneCert(resp.CaCrt)
+			printDisabledCas(resp.CaDisabled)
 		default:
 			panic("Unknown flag: " + flag)
 		}
@@ -82,6 +83,7 @@ func doShowCA(cmd *cobra.Command, args []string) {
 	printOneCert(resp.TlsCrt)
 	fmt.Println("\n## Device Authentication Certificate(s)")
 	printOneCert(resp.CaCrt)
+	printDisabledCas(resp.CaDisabled)
 }
 
 func printOneCert(crt string) {
@@ -92,6 +94,15 @@ func printOneCert(crt string) {
 	}
 }
 
+func printDisabledCas(serials []string) {
+	if len(serials) > 0 {
+		fmt.Println("\n## Disabled Device Authentication Certificate Serial(s)")
+		for _, num := range serials {
+			fmt.Println(" - ", num)
+		}
+	}
+}
+
 func keyUsage(val asn1.BitString) string {
 	vals := ""
 	if val.At(0) != 0 {