A certificate revocation list (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their actual or assigned expiration date.

Certificate revocation is a process in which a certificate's usage is terminated before the validity period expires. There are multiple reasons for certificate revocation, which are:


Unspecified - This reason indicates that the certificate is revoked for an unknown reason. 

Affiliation Changed - This reason indicates that the subject's name or other information has changed.

Superseded - This reason indicates that the certificate has been superseded, a new certificate is replacing an existing certificate.

Cease of Operation - A server or a computer is decommissioned, and all the certificates issued to the server are no longer required. 

Privilege Withdrawn - This reason indicates that the privileges granted to the subject of the certificate have been withdrawn.

AA Compromise - This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.

Key Compromise - This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.

CA Compromise - This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.

Certificate Hold - This reason indicates that the certificate has been put on hold (Revoke temporarily). One of the following hold instructions should be provided:

  • id-holdinstruction-none
  • id-holdinstruction-callissuer
  • id-holdinstruction-reject


ADSS Web RA supports the following types of TLS certificates:


  • EVS TLS Server authentication
  • TLS Client authentication
  • TLS Server authentication


When an EV TLS Server authentication certificate is revoked, ADSS Web RA will support only the following six revocation reasons:


  1. Unspecified 
  2. Key Compromise
  3. Affiliation Change 
  4. Superseded
  5. Cease of Operation 
  6. Privilege Withdrawn


An Administrator can approve a user's revocation.


Expand Requests > Revocation Requests from the left menu pane. The Revocation requests listing will appear. The Request By section will display Citizen ID below the user name if it is enabled in the Configurations > Default Settings.


The revocation reason will not show when a user revokes a virtual ID certificate when the user is logged-in with citizen ID. 



To revoke a certificate:


  1. Expand Certificate Requests > Revocation Requests the menu will toggle down. 
  2. Then click the button, and View Request as displayed in the screenshot below:



The request will appear on the screen, where you will scroll through four steps (SDNs, Certificate Validity, Vetting Form and Message). Click on Approve and you will see a similar screen for approval. Once you click Ok, a roaster message will be displayed Certificate revoke certificate reviewed. 



Certificate Suspension (Dual Control)


Certificate suspension is an action that ensures temporarily invalidity of certificate. 


Note: 

  • Certificate suspension is a temporary status. Upon certificate suspension, no action will be taken for certificates existing in SigningHub or CSP.
  • If a certificate is provisioned in SigningHub, it will not be de-provisioned in case of suspension. A user will have to delete the certificate manually from SigningHub. 
  • However, a certificate can be permanently revoked or reinstated.Once a suspended certificate is permanently revoked, then it will be deleted from the CSP Service and SigningHub.


  1. Click Dual Control. (This functionality only works when it is allowed in the Dual Control section, then click Requests.
  2. Once you click the button, click "View Request" (of an approved certificate). This certificate's status will appear as Reviewed. 



The request will appear on the screen, where you will scroll through four steps (SDNs, Certificate Validity, Vetting Form and Message). Click on Approve and you will see a similar screen for approval. Once you click Ok, a roaster message will be displayed "Certificate #" Certificate revoked.


 


The status of the certificate will be Suspended and can be viewed in the Certificates listing. (Admin > Certificates). 



Reinstate Certificate 


A revoked certificate can be activated by using the Reinstate option. 

Once a user has requested to reinstate a certificate via Web Portal, this certificate request will be listed under the Revocation Requests listing.


Click Requests from the admin portal, it will toggle down a sub menu, then click "Revocation Requests". 



Click and then click on View Request. 




Click button and then "More Actions" against the suspended certificate that you want to reinstate.



A "Certificate Action" screen will be displayed. Select "Reinstate" from the action drop down, check the confirmation message and then click "Reinstate". 



Second Factor Authentication 


If second factor authentication is enabled on certificate requests, the configured authentication mechanism will function accordingly. When a user clicks on the Generate button, the authentication window will appear, and once it accepts the selected method, it will generate a certificate. 


The authentication mechanism can be one of the following:


  • SMS OTP Authentication 
  • Email OTP Authentication 
  • Email & SMS Authentication
  • SAML Authentication 
  • Active Directory Authentication 
  • Azure Active Directory Authentication
  • OIDC Authentication