Revoking certificates
This article includes updates for Smart ID 21.04.2.
This article describes how to revoke certificates. Certificates can be revoked using the standard Change State in CA task. See Set up process in Identity Manager for more information. This task will change the state of a certificate in Identity Manager and in the CA that issued it.
Certificates can also be set to certificateHold
as soon as they are issued by a CA, as described under Certificates and keys in Identity Manager in the subsection "PKCS#10 requests - Temporary revoke a certificate right after P10-request".
RFC-5280 section 5.3.1 defines a number of reason codes for certificate revocations. As long as the CA you are using supports these, you can use them when revoking certificates. However, certificate states in Identity Manager are not limited to these states. In fact, several other states are used in different default Identity Manager packages. In the CA, these are mapped as follows:
Any reason defined in RFC-5280 is used without further mapping.
temporary.inactive
is mapped tocertificateHold
.active
andvalid
are mapped toremoveFromCRL
.inactive
,locked
,expired
,replaced
,retired
andrevoked
are mapped to the state configured forrfc5280ReasonForInactiveAndLocked
(defaults tounspecified
).
Any other reason will throw an exception in order to prevent accidental certificate revocations because of a typo.
The following excerpt from system.properties demonstrates how to configure the mapping for rfc5280ReasonForInactiveAndLocked
and which values can be used, depending on the CA you use. This applies for both docker and WAR file deployments.
Example: system.properties
########################
# override default RFC-5280 revocation reason name to map the following IDM cert states to:
# inactive/locked/expired/replaced/retired/revoked
#######
# CM - one of: unspecified (default), keyCompromise, affiliationChanged, superseded,
# cessationOfOperation, privilegeWithdrawn
#
#integratedCMServiceFactory.rfc5280ReasonForInactiveAndLocked=unspecified
#####
# ADCS/MSCA - one of: unspecified (default), keyCompromise, cACompromise, affiliationChanged,
# superseded, cessationOfOperation
#
#proxyServiceFactory.rfc5280ReasonForInactiveAndLocked=unspecified
#####
# EJBCA - one of: unspecified (default), keyCompromise, cACompromise, affiliationChanged,
# superseded, cessationOfOperation, privilegeWithdrawn, aACompromise
#
#ejbcaServiceFactory.rfc5280ReasonForInactiveAndLocked=unspecified
####
# D-Trust - one of: unspecified (default), keyCompromise, cACompromise, affiliationChanged,
# superseded, cessationOfOperation, privilegeWithdrawn, aACompromise
#
#integratedDtrustServiceFactory.rfc5280ReasonForInactiveAndLocked=unspecified
#####
# Idnomic OpenTrust - one of: unspecified (default), keyCompromise, cACompromise, affiliationChanged,
# superseded, cessationOfOperation, privilegeWithdrawn (=> unspecified), aACompromise
#
#idnomicServiceFactory.rfc5280ReasonForInactiveAndLocked=unspecified
#####
# QuoVadis - one of: superseded (default), keyCompromise, affiliationChanged, cessationOfOperation
#
#quoVadisServiceFactory.rfc5280ReasonForInactiveAndLocked=superseded
#########################
Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions