TLS Certificate Revocation Reasons

May 8, 2023

TLS Certificate Revocation Reasons

This support article provides guidance for GlobalSign TLS certificate subscribers on the use of the permitted certificate revocation reasons

In compliance with the Mozilla policy on TLS Certificate Revocation, TLS Certificates may be revoked ONLY for one of the following reasons:

  • unspecified (RFC 5280 CRLReason #0)
  • keyCompromise (RFC 5280 CRLReason #1)
  • affiliationChanged (RFC 5280 CRLReason #3)
  • superseded (RFC 5280 CRLReason #4)
  • cessationOfOperation (RFC 5280 CRLReason #5)
  • privilegeWithdrawn (RFC 5280 CRLReason #9) - Note: This reason code can only be used by CA initiated revocations.

 

Subscriber Revocation Reason Options

  • unspecified (RFC 5280 CRLReason #0)
    • When the reason codes below do not apply to the revocation request, the subscriber can opt to not provide a reason in which case GlobalSign will record the reason as "unspecified".  This is the default value when no reason is supplied.
  • keyCompromise (RFC 5280 CRLReason #1)
    • The certificate subscriber must choose the "keyCompromise" revocation reason when they have reason to believe that the private key of their certificate has been compromised.
  • affiliationChanged (RFC 5280 CRLReason #3)
    • The certificate subscriber should choose the "affiliationChanged" revocation reason when their organization's name or other organizational information in the certificate has changed.
    • This option does not apply to DV certificates that do not include any Subject Identity information.
  • superseded (RFC 5280 CRLReason #4)
    • The certificate subscriber should choose the "superseded" revocation reason when they request a new certificate to replace their existing certificate.  Note that the certificate will be immediately revoked so this option should only be used once the new certificate has been installed on all applicable servers.
  • cessationOfOperation (RFC 5280 CRLReason #5)
    • The certificate subscriber should choose the "cessationOfOperation" revocation reason when they no longer own all of the domain names in the certificate or when they will no longer be using the certificate because they are discontinuing their website.

How to request revocation

GlobalSign Certificate Center (GCC) customers should follow the process on this page: https://support.globalsign.com/ssl/ssl-certificates-life-cycle/revocation-certificate

Our Atlas customers can perform revocation via the Atlas APIs.  Please download the latest GlobalSign Atlas Certificate Management API Guide for more details.

Anyone can request revocation by sending an email to report-abuse@globalsign.com or opening a case using this page and our support team will work with you to validate your request and revoke the requested certificate(s)

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support