Certificate Revocation Reason Codes

Q

What are the reasons why a X.509 certificate got revoked?

✍: FYIcenter.com

A

When a certificate CA publishes a CRL (Certificate Revocation List) file with a list of revoked certificates, a revocation reason code will be provided for each revocation entry.

There are several reason codes commonly used in CRL files:

  • 0 - Unspecified: Certificate was revoked for unspecified reason
  • 1 - Key Compromise: Private key of the certificate was compromized
  • 2 - CA Compromise: Private key of the certificate CA was compromized
  • 3 - Affiliation Changed: Certificate owner changed affiliation
  • 4 - Superseded: A new certificate was issued to replace this one
  • 5 - Cessation of Operation: Certificate owner stopped operation
  • 6 - Certificate Hold: Certificate was put on hold

As you can see, the most serious reason is the "2 - CA Compromise". In this case, all X.509 certificates issued by this CA must be revoked immediately. Using a certificate whose CA private key was compromized is extremely dangerous.

 

⇒ Examples of Revoked Certificates

⇐ CRL File Format and Fields

⇑ CRL (Certificate Revocation List)

⇑⇑ Revoked Certificates - CRL and OCSP

2019-07-19, 9315👍, 0💬