Reason Codes for Revoking Certificates

r

Reason code

Use when

KeyCompromise

A computer is stolen or a smart card is lost

CACompromise

A CA certificate is compromised

AffiliationChanged

An employee is terminated or suspended

Superseded

If a smart card fails or the legal name of a user has changed

CessationOfOperation

An issued certificate is replaced

CertificateHold

A certificate needs to be put on hold temporarily

RemoveFromCRL

A CA is removed from the network

Unspecified

You revoke a certificate without providing a reason

***************************** illegal for non-trainer use ******************************

Introduction Certificate revocation is the process of removing the validity of a certificate before the certificate is set to expire. For example, an employee is issued a certificate for smart card logon with a certificate expiration of 1 year. If that employee leaves the organization 5 months later, the certificate should be revoked to prevent its use. When a certificate manager revokes a certificate, the certificate manager can specify the reason for revoking the certificate.

When a certificate is revoked, a reason must be provided to justify the revocation of the certificate. This revocation reason serves as a useful tracking mechanism for why certificates are revoked in an organization. For example, when reviewing the reasons why certificates are revoked over a one-year period, an organization might realize that a high number of certificates were revoked because of a key compromise. This might prompt an organization to evaluate their security practices to reduce the number of key compromises.

Reason codes When revoking certificates, use one of the following reason codes:

■ KeyCompromise. The private key that is associated with the certificate is compromised and is in the possession of an unauthorized individual—for example, if a portable computer is stolen or a smart card is lost.

■ CACompromise. The smart card or disk on which the CA's private key is stored is compromised and is in the possession of an unauthorized individual. When a certificate manager revokes a CA's certificate, all certificates issued by that CA are considered revoked.

■ AffiliationChanged. An individual is terminated or has resigned from an organization. It is not necessary to revoke a certificate when an individual changes departments unless your security policy requires that each departmental CA should issue certificates to the individuals in that department.

■ Superseded. A new certificate must be issued if a smart card fails or the legal name of a user has changed. The new certificate supersedes the previous certificate, which must be revoked.

■ CessationOfOperation. If your organization decommissions a CA, use this revocation code to revoke the CA's certificate. Do not revoke the certificate if the CA publishes CRLs for the currently issued certificates but does not issue new certificates.

■ CertificateHold. A temporary revocation that indicates that a CA will not vouch for a certificate at a specific time. After a certificate is revoked by using CertificateHold, you can later unrevoke the certificate.

Note To unrevoke a certificate revoked with CertificateHold, type certutil -revoke certificateserialnumber unrevoke. The certificate serial number can be found in the details pane of the certificate.

■ RemoveFromCRL. If you revoke a certificate by using CertificateHold, you can unrevoke the certificate. The unrevoking process still lists the certificate in the CRL, but with the revocation code set to RemoveFromCRL. The RemoveFromCRL reason code is specific to the CertificateHold reason and is only used in delta CRLs.

■ Unspecified. You can revoke a certificate without providing a specific revocation code. Using Unspecified is not recommended, however, because it does not provide an audit trail that identifies why a certificate was revoked.

Was this article helpful?

0 0
Outsource Explosion

Outsource Explosion

There will come a day in your business (if it hasn't already arrived) when you realise that you only have two hands and 24 hours in a day. What I mean is you can't do everything that your business needs yourself. If you try to do everything yourself your business will at best grind to a halt, and at worst, GO UNDER. Take a look RIGHT NOW at the successful marketers around you - the millionaires, the gurus and the market leaders.

Get My Free Ebook


Responses

  • lorna
    Which of the following is not a reason code for revoking a certificate?
    7 years ago
  • immacolata
    How to change certificate revokation reason code?
    1 year ago
  • Anne
    How to change revoked certificate reason code?
    10 months ago
  • gregor
    Which of the following is a reason to revoke a certificate?
    8 months ago
  • stephanie
    What type of violations can revoke a post certificate?
    5 months ago

Post a comment