REASON CODES FOR CERTIFICATE REVOCATION



When a certificate is revoked, a reason must be stated. Revocation reason codes are specified in Internet specification RFC5280. This page explains reason codes in detail with use cases. This listing complies to severity classification specified by Mozilla from the least severe reason unspecified to the most severe reason key compromise. If several reasons are applicable, the most severe (lowest) one must be chosen.

  • Unspecified: The unspecified reason is the default reason for a revocation. Unspecified is chosen when none of the reason below are applicable.

  • Superseded: This reason code is used when a certificate will be revoked due to certificate renewal and when none of the reason codes below are applicable.

  • affiliationChanged: Affiliation changed is applicable when information in the certificate, like O/L or surname/givenname are no longer valid due to changes.

  • cessationOfOperation: This reason code is used when ownership of a domain has changed or when a website has been decommissioned.

  • keyCompromise: A key compromise refers to compromise of the key used in certificate enrollment. Compromise may be public disclosure of the key in Internet or the key being in hands of a third party. This reason code is to be used only when a key compromise has been observed or when there is a suspicion of a key compromise. Please read through instructions before using this reason code.

More information about revocation is available in Telia Server Certificate CPS, section 4.9. The CPS is located here