000018840 - How do you add reason codes to the Certificate Revocation List (CRL) list on KCA?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018840
Applies ToKeon Certificate Authority 5.7
Keon Certificate Authority 6.0
IssueHow do you add reason codes to the Certificate Revocation List (CRL) list on KCA?
Reference RFC 2459
5.3  CRL Entry Extensions
The CRL entry extensions already defined by ANSI X9 and ISO/IEC/ITU for X.509 v2 CRLs provide methods for associating additional attributes with CRL entries [X.509] [X9.55].  The X.509 v2 CRL format also allows communities to define private CRL entry extensions to carry information unique to those communities.  Each extension in a CRL entry may be designated as critical or non-critical.  A CRL validation MUST fail if it encounters a critical CRL entry extension which it does not know how to process.  However, an unrecognized non-critical CRL entry extension may be ignored.  The following subsections present recommended extensions used within Internet CRL entries and standard locations for information.  Communities may elect to use additional CRL entry extensions; however, caution should be exercised in adopting any critical extensions in CRL entries which might be used in a general context.
All CRL entry extensions used in this specification are non-critical. Support for these extensions is optional for conforming CAs and applications.  However, CAs that issue CRLs SHOULD include reason codes (see sec. 5.3.1) and invalidity dates (see sec. 5.3.3) whenever this information is available.
5.3.1  Reason Code
The reasonCode is a non-critical CRL entry extension that identifies the reason for the certificate revocation. CAs are strongly encouraged to include meaningful reason codes in CRL entries; however, the reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value.
           id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }
           -- reasonCode ::= { CRLReason }
           CRLReason ::= ENUMERATED {
                unspecified             (0),
                keyCompromise           (1),
                cACompromise            (2),
                affiliationChanged      (3),
                superseded              (4),
                cessationOfOperation    (5),
                certificateHold         (6),
                removeFromCRL           (8) }
ResolutionKCA 6.0 and previous versions currently do not have the ability to add reason codes to the CRLs. A Enhancement Request has been submitted (TM 6012 and tst00023266) and this feature will be added to the next KCA major release, which is expected in Q3, 2002.

Legacy Article IDa7056