000021270 - Revoked certificate reason code does not display

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021270
Applies ToKeon Certificate Authority 6.5.1
Microsoft Windows 2000 Server SP4
IssueRevoked certificate reason code does not display

The CRL Reason Code which appears in the published CRL using MS Windows is not the reason code which appears in the certificate. Reason code: "privilegeWithdrawn" shows up as "Unknown CRL Reason(9)".



5.3.1 Reason Code

The reasonCode is a non-critical CRL entry extension that identifies the reason for the certificate revocation. CRL issuers are strongly encouraged to include meaningful reason codes in CRL entries. However, the reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value.

id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }

-- reasonCode ::= { CRLReason }


unspecified (0),

keyCompromise (1),

cACompromise (2),

affiliationChanged (3),

superseded (4),

cessationOfOperation (5),

certificateHold (6),

removeFromCRL (8),

privilegeWithdrawn (9),

aACompromise (10) }

CauseMicrosoft Windows does not recognize the CRL reason code "9", which is privilegeWithdrawn as it is a fairly new code
ResolutionWhen you choose privilegeWithdrawn for the CRL reason code, KCA sets the value to (9) as specified in the RFC. The problem is that Microsoft is not translating this value to the proper CRL Reason Code. This is not a problem with KCA.
Legacy Article IDa21870