diff --git a/builtin/logical/pki/path_revoke.go b/builtin/logical/pki/path_revoke.go
index e23aadcafe9f..1906e24bb254 100644
--- a/builtin/logical/pki/path_revoke.go
+++ b/builtin/logical/pki/path_revoke.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -50,6 +51,10 @@ func (b *backend) pathRevokeWrite(ctx context.Context, req *logical.Request, dat
 		return logical.ErrorResponse("The serial number must be provided"), nil
 	}
 
+	if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
+		return nil, logical.ErrReadOnly
+	}
+
 	// We store and identify by lowercase colon-separated hex, but other
 	// utilities use dashes and/or uppercase, so normalize
 	serial = strings.Replace(strings.ToLower(serial), "-", ":", -1)