Revocation and endpoint reason codes
When viewing the Result status in the Revocation area, you'll find one of several reasons displayed for the revocation of a certificate.
When a certificate is revoked, Trust Protection Platform displays the possible reasons why the certificate issuer did so. The issuer is responsible for specifying a reason. The reasons for revocation depend on whether the response came from the CRL or the OCSP.
CRL Revocation Response Codes
The CRL revocation response codes are defined in Section 6.3.2(b) of RFC 5280 as outlined in the following table, which also includes a description of how certificates with these reason codes are treated by Trust Protection Platform.
| Code | Definition | Friendly Name | Description |
|---|---|---|---|
| 0 | unspecified | Unspecified |
The reason was not given, or did not match an existing code. While it is possible to revoke a certificate with the This option is not provided in TLS Protect, because it is not considered best practice to use it. |
| 1 | keyCompromise | Key Compromise | The token or disk location where the private key associated with the certificate has been compromised and is in the possession of an unauthorized individual. This can include the case where a laptop is stolen or a smart card is lost. |
| 2 | cACompromise | CA Compromise | The token or disk location where the CA’s private key is stored has been compromised and is in the possession of an unauthorized individual. When a CA’s private key is revoked, this results in all certificates issued by the CA that are signed using the private key associated with the revoked certificate being considered revoked. |
| 3 | affilliationChanged | Affiliation Changed | The user’s relationship with the organization has been terminated, indicated in the DN attribute of the certificate. This revocation code is most often used when an individual is terminated or has resigned from an organization. You do not have to revoke a certificate when a user changes departments, unless your security policy requires a different certificate be issued by a departmental CA. With this revocation code there is no cause to suspect that the private key has been compromised. |
| 4 | superseded | Superseded | A replacement certificate has been issued to a user, and the reason does not fall under the previous reasons. This revocation reason is most often used when a smart card fails, the password for a token is forgotten by a user, or the user’s legal name has changed. There is no cause to suspect that the private key has been compromised. |
| 5 | cessationOfOperation | Cessation of Operation |
Used anytime a certificate is no longer needed because the system or service that consumed the certificate is taken out of service before the expiration date on the certificate. If you select Original use no longer valid when you Revoke a certificate in TLS Protect, it will display this reason code, as this revocation reason was intended to express the idea of cessation of operation of a device or system, so the certificate should no longer be used or trusted. |
| 6 | certificateHold | Certificate Hold |
A temporary revocation that indicates a CA will not vouch for a certificate at a specific point in time. Once a certificate is revoked with a IMPORTANT Trust Protection Platform treats a |
| 7 | { value 7 is not used } | Reserved | This code is not used in the RFC, and does not appear anywhere in Trust Protection Platform. |
| 8 | removeFromCRL | Remove from CRL |
If a certificate is revoked with the Trust Protection Platform considers certificates marked with the |
| 9 | privilegeWithdrawn | Privilege Withdrawn |
Indicates that a certificate (public key or attribute certificate) was revoked because a privilege contained within that certificate has been withdrawn. While a valid revocation code per the RFC, this revocation reason is not available in TLS Protect. |
| 10 | aACompromise | AA Compromise |
Indicates that it is known or suspected that aspects of the AA validated in the attribute certificate have been compromised. You cannot select this as a revocation reason in TLS Protect because it is determined at a higher level. |
NOTE Information for this table came was adapted from RFC 5280, Microsoft documentation (https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc700843(v=technet.10)#revocation-reasons) and the International Telecommunication Union (https://www.itu.int/rec/T-REC-X.509-201210-S).
The CA/Browser Forum (https://www.cabforum.org) issued the document "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v. 1.2.5 (2015)". In chapter 13, it includes requirements for certificate revocation and status checking. Section 13.1.5 (page 22 of the linked PDF) specifies several situations in which a "CA shall revoke a Certificate within 24 hours".
OCSP Endpoint Response Codes
| Code | Definition | Friendly Name | Description |
|---|---|---|---|
| 0 | successful | Successful |
If the response is successful, the response will include a CertStatus value of one of the following:
|
| 1 | malformedRequest | Illegal confirmation request | The request was not sent correctly to the OCSP. Verify your OCSP configuration. |
| 2 | internalError | Internal error in issuer | The OCSP responder replied with the code "Internal Error." This indicates that Trust Protection Platform was able to contact the OCSP endpoint, but an error occurred on their side. Try checking the certificate for revocation again, or wait for it to be checked by the CRL (if available for that certificate). |
| 3 | tryLater | Try again later | The OCSP endpoint was unable to process the request at this time. You should try the revocation check at a later time. |
| 4 | { value 4 is not used } | Reserved | This value is not used in the RFC, and will therefore never appear in Trust Protection Platform. |
| 5 | sigRequired | Must sign the request | The OCSP endpoint requires that the request be signed before constructing a response. Trust Protection Platform does not support OCSP signature requests. Use another OCSP endpoint, or CRL. |
| 6 | unauthorized | Request unauthorized | The OCSP doesn't recognize this request as an authorized request. Either the client is not authorized to make the query, or the server is not capable of responding authoritatively. (See RFC 5019 Section 2.2.3.) Check your OCSP configuration or contact Venafi Support. |
NOTE Information for this table was adapted from RFC 6960 section 2.2 and section 4.2.1.
If Trust Protection Platform detects an error with the OCSP response data, it may show one of the error messages in the following table.
| Name | Description |
|---|---|
| None | An error occurred that isn't otherwise accounted for. Check the logs or call Venafi Customer Support for assistance. |
| Invalid Date | The OCSP response included an invalid date, so the data couldn't be verified. |
| Response Does Not Contain Certificate | The OCSP response does not contain the certificate status, so the status is unknown. |
| Signature Validation Failed | This means that the OCSP response, which is signed by the certificate authority, had an invalid signature, and therefore can't be trusted. In this case, contact your PKI administrator for what to do next. If you are the PKI administrator, you need to check your OCSP settings and make sure you are connecting to the correct OCSP endpoint. |
| General Error | This means that there was some other error during the parsing of the data or during communication with the OCSP endpoint. Check the logs for additional information about what happened, which should help you know how to resolve the issue. |
Next Steps
Check the General > Log tab for useful details about actions taken on your certificate.