When a certificate is no longer safe to use, you should revoke it. This can happen for a few different reasons. For instance, you might accidentally upload your private key to a public website; hackers might access your server and copy private keys; hackers might temporarily gain control of your servers or DNS configuration, validating and issuing certificates for which they hold the private key.
When you revoke a Shengzhao CA certificate, Shengzhao CA may publish revocation information via a Certificate Revocation List (CRL), and some browsers will invoke the CRL to decide whether to trust the certificate.
Specifying a reason code
When revoking a certificate, Shengzhao CA subscribers should select a reason code as follows:
- No reason provided or
unspecified (RFC 5280 CRLReason #0)
- When the reason codes below do not apply to the revocation request, the subscriber must not provide a reason code other than “unspecified”.
keyCompromise (RFC 5280 CRLReason #1)
- The subscriber must choose the “keyCompromise” revocation reason when they have reason to believe that the private key of their certificate has been compromised. For example, an unauthorized person has had access to the certificate’s private key.
- If the revocation request is signed using the certificate private key, rather than a subscriber account private key, Shengzhao CA may ignore the revocation reason in the request and set the reason to “keyCompromise”.
superseded (RFC 5280 CRLReason #4)
- The subscriber should choose the “superseded” revocation reason when they request a new certificate to replace their existing certificate.
cessationOfOperation (RFC 5280 CRLReason #5)
- The subscriber should choose the “cessationOfOperation” revocation reason when they no longer own all of the domain names in the certificate or when they will no longer be using the certificate because they are discontinuing their website.
- If the revocation request comes from a user account that did not request the relevant certificate but has demonstrated control over all identifiers in the certificate, Shengzhao CA may ignore the revocation reason in the request and set the reason to “cessationOfOperation”.
Revocation requests specifying any reason code other than the above will be rejected.
Certificate revocation for this authority is non-automated; information updates may take 7 working days or more.
