Certificate revocation reason values

A certificate can be revoked for a number of reasons, and those are specified in the CRL as per RFC 5280 Section 5.3.1:

   CRLReason
        unspecified             (0),
        keyCompromise           (1),
        cACompromise            (2),
        affiliationChanged      (3),
        superseded              (4),
        cessationOfOperation    (5),
        certificateHold         (6),
        removeFromCRL           (8),
        privilegeWithdrawn      (9),
        aACompromise            (10)

Value 7 is not used, removeFromCRL is only applicable to delta CRLs and certificateHold is a reversible revocation (can be "unrevoked" at a later stage).
Please note that certificateHold is not an acceptable revocation reason in publicly trusted server certificates, as per CA/B Forum Baseline Requirements.

https://tools.ietf.org/html/rfc5280#section-5.3.1
https://en.wikipedia.org/wiki/Certificate_revocation_list#Reasons_for_revocation
https://cabforum.org/baseline-requirements-documents/

Comments

Post a Comment

Popular posts from this blog

Windows automatic Root CA updates

Image
Microsoft runs its own Trusted Root Program , defining which Root CAs are considered trusted in Microsoft products. The list of trusted Root CAs and/or the corresponding metadata is updated regularly (updates are published here and made available for download in the form of a Certificate Trust List (CTL) here . Windows systems can be configured to automatically update their list of trusted Root CAs, via " Automatic Root Certificates Update ", a setting that can be configured via policy: gpedit.msc > Local Computer Policy > Computer Configuration > System > Internet Communication Management > Internet Communication Settings > Turn off Automatic Root Certificates Update According to the description of the policy setting, having it disabled or not configured will trigger automatic updates via the Windows Update website. The policy editor, especially when it comes to policies not configured, is not always a trustworthy source, so in case of doubt check the corr...
Read more

Updating the Windows Root CA store

Image
Windows Root CA certificate store is updated automatically , but there are cases where this is not desirable or possible. In some cases, the Windows CTL Updater functionality might be disabled, e.g. to keep full control over the process on systems where this is a requirement, and in some other cases end systems might lack connectivity to the Microsoft endpoints providing the updates (although these can also be replaced by local endpoints if required). In such cases, a mechanism to update the Windows Root CA store either on-demand or in an offline fashion might be required. The certutil command allows for this, providing 2 useful parameters. The -syncWithWU parameter allows for on-demand update of the Root CA store. This is useful when auto-update is disabled or when troubleshooting the auto-update process (e.g. if we have issues with some Root CA not being present or similar). The certutil command to be run would be: certutil -syncWithWU [DestinationDirectory] Where  [Destinatio...
Read more

Java and the Windows certificate store

Image
Java includes its own Root CA trusted certificate store, regularly updated via its  Root Certificate Program  and implemented via its cacerts certificates file (by default under  $JAVA_HOME\lib\security ). In addition to its own trusted certificate store, it is also possible to configure clients to make Java trust the certificates present in a browser's certificate store (limited to Internet Explorer and Mozilla Firefox). This can be achieved via a setting within Control Panel > Java > Advanced > Advanced Security Settings called " Use certificates and keys in browser keystore ": The setting is enabled by default, and it is documented  here . According to its description, in particular on Windows platforms " On Windows, browser keystore is supported through Internet Explorer. Certificates and keys in Internet Explorer are automatically recognized by Java Plug-in and Java Web Start when Java and JavaFX applications are deployed on Windows ". Microsoft W...
Read more