000019093 - Does KCA publish reason codes for revoked certificates?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000019093
Applies ToMicrosoft Windows 2000 Server
Microsoft Windows NT Server
Keon Certificate Authority 5.7
IssueDoes KCA publish reason codes for revoked certificates?
KCA operating normally
CRL is published to LDAP or HTTP
There are no reason codes given for certificates revoked by KCA
CauseKCA publishes only 2 reason codes for a revoked a certificate, 0 for unspecified and 6 for certificateHold
ResolutionRefer to RFC for CRL profiles (RFC 2459 http://www.ietf.org/rfc/rfc2459.txt). In the section for reason codes (under the section for extensions) it gives the following as reason codes:

       unspecified                (0),
       keyCompromise        (1),
       cACompromise        (2),
       affiliationChanged        (3),
       superseded                (4),
       cessationOfOperation        (5),
       certificateHold                (6),
       removeFromCRL        (8)

"Unspecified" is universally the default reason code. When KCA decides to publish this, rather than give the reason code along with the revocation it defaults to giving nothing for the reason (applications such as OCSP will pick this up as the unspecified code)

When you publish a suspended certificate in the CRL. the reason code specified by KCA is then reason 6 "certificateHold" and this can be seen in Internet Explorer.

See also Can you specify a reason code for a revoked certificate in KCA?
Legacy Article IDa5857