Re: [Ejbca-develop] Revoke certificate without reason

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

You should check the content of a generated CRL, then you can see that 
it follows exactly what RFC5280 says.

openssl crl -inform DER -in ManagementCA.crl -text

     Serial Number: 37606FCBBCDF2D31
         Revocation Date: Dec 10 14:27:43 2014 GMT
         CRL entry extensions:
             X509v3 CRL Reason Code:
                 Superseded
     Serial Number: 5BCF9BA74FF3F424
         Revocation Date: Dec 10 14:26:53 2014 GMT

Regards,
Tomas

On 2015-04-07 16:43, Michael Postmann wrote:
> I can select "unspecified" but as far as I understand the RFC if you have no meaningful reason the reason SHOULD be omitted instead of just specifying "unspecified".
> I know it's only cosmetic and it doesn't bother me at all, but I thought it might be worth thinking about. It's only a "SHOULD" though, which according to RFC means
> "... that there may exist valid reasons in particular circumstances to ignore a  particular item, but the full implications must be understood and carefully weighed before choosing a different course."
> so it's not really mandatory.
>
> As for the revocation reasons:
>
> "Cessation of operation" as far as I understand should be used if an (Intermediate) CA is brought out of service (0). "Superseded" on the other hand is used if you replace a certificate with a new one.
> For now I've chosen "Affiliation changed" as the client certificate was for a non-existing test-person who is now no longer doing "business" with us, I think that's the most appropriate.
>
> At the end it doesn't matter at all. We use the PKI internally and nobody will ever bother with the CRL's I guess ;-).
>
> cheers
> nomike
>
> -----Ursprüngliche Nachricht-----
> Von: Tomas Gustavsson [mailto:to...@pr...]
> Gesendet: Dienstag, 7. April 2015 16:25
> An: ejb...@li...
> Betreff: Re: [Ejbca-develop] Revoke certificate without reason
>
>
> I have no problem selecting "unspecified" as revocation reason, from the list of revocation reasons. What do you see? Which screen in the admin GUI?
>
> "Cessation of operation" or "Superseded" sounds like a suitable reason for test certificates.
>
> Cheers,
> Tomas
> -----
> Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information.
> http://www.primekey.se/Products/EJBCA+PKI/
> http://www.primekey.se/Services/Support/
>
>
> On 2015-04-07 15:07, Michael Postmann wrote:
>> Hi!
>>
>> According to RFC 5280 (p. 69) "CRL issuers are strongly
>>
>>      encouraged to include meaningful reason codes in CRL entries;
>>
>>      however, the reason code CRL entry extension SHOULD be absent instead
>>
>>      of using the unspecified (0) reasonCode value."
>>
>> However when I want to revoke a certificate on the web interface it's
>> not possible to select no reason.
>>
>> Is this intentionally left out or is there another way to achieve this?
>>
>> Besides that, what I actually want to do is to revoke some certificates
>> I issued for testing the PKI. What's the most appropriate reason for that?
>>
>> regards
>>
>> nomike
>>
>> --
>>
>> *Michael Postmann*
>>
>> Application Engineer
>>
>> paysafecard.com <http://paysafecard.com/>Wertkarten GmbH
>> Am Euro Platz 2, A-1120 Wien
>>
>> phone:  +43 1 / 720 83 80 - 649
>> fax:      +43 1 / 720 83 80 - 12
>>
>> mobile: +43 676 / 765 77 31
>>
>> skype:   nomike31
>> mail: m.p...@pa... <mailto:m.p...@pa...>
>>
>> web: www.paysafecard.com <http://www.paysafecard.com/>
>>
>> Firmenbuch: FN 194434h
>> Handelsgericht Wien
>>
>>
>>
>> ------------------------------------------------------------------------------
>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>> Develop your own process in accordance with the BPMN 2 standard
>> Learn Process modeling best practices with Bonita BPM through live exercises
>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>
>>
>>
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>