User-Initiated Revocation; Reasons For Revoking A Certificate; Crl Issuing Points - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

6.1.1. User-Initiated Revocation

When an end user submits a certificate revocation request, the first step in the revocation process
is for the Certificate Manager to identify and authenticate the end user to verify that the user is
attempting to revoke his own certificate, not a certificate belonging to someone else.
In SSL client authentication, the server expects the end user to present a certificate that has the same
subject name as the one to be revoked and uses that for authentication purposes. The server verifies
the authenticity of a revocation request by mapping the subject name in the certificate presented for
client authentication to certificates in its internal database. The server revokes the certificate only if the
certificate maps successfully to one or more valid or expired certificates in its internal database.
After successful authentication, if the server detects only one valid or expired certificate matching
the subject name of the one presented for client authentication, it revokes the certificate. If the server
detects more than one valid or expired certificate with a matching subject name, it lists all those
certificates. The user can then either select the certificate to be revoked or revoke all certificates in the
list.

6.1.2. Reasons for Revoking a Certificate

A Certificate Manager can revoke any certificate it has issued. There are generally accepted reason
codes for revoking a certificate that are often included in the CRL, such as the following:
• 0. Unspecified; no particular reason is given.
• 1. The private key associated with the certificate was compromised.
• 2. The private key associated with the CA that issued the certificate was compromised.
• 3. The owner of the certificate is no longer affiliated with the issuer of the certificate and either no
longer has rights to the access gained with the certificate or no longer needs it.
• 4. Another certificate replaces this one.
• 5. The CA that issued the certificate has ceased to operate.
• 6. The certificate is on hold pending further action. It is treated as revoked but may be taken off hold
in the future.
A certificate can be revoked by administrators, agents, and end entities. Agents and administrators
with agent privileges can revoke certificates using the forms in the agent services page. End users
can revoke certificates using the forms in the Revocation tab of the end-entity interface. End users
can revoke only their own certificates, whereas agents and administrators can revoke any certificates
issued by the server. End users are also required to authenticate to the server in order to revoke a
certificate.
Whenever a certificate is revoked, the Certificate Manager updates the status of the certificate in
its internal database. The server uses the entries in the internal database to track of all revoked
certificates, and, when configured, it makes the CRLs public by publishing it to a central repository to
notify other users that the certificates in the list are no longer valid.

6.1.3. CRL Issuing Points

Because CRLs can grow very large, there are several methods to minimize the overhead of retrieving
and delivering large CRLs. One of these methods partitions the entire certificate space and associates
User-Initiated Revocation
171