Skip to main content
Skip table of contents

Revoking certificates

This article includes updates for Smart ID 21.04.2.


This article describes how to revoke certificates. Certificates can be revoked using the standard Change State in CA task. See Set up process in Identity Manager for more information. This task will change the state of a certificate in Identity Manager and in the CA that issued it.

Certificates can also be set to certificateHold as soon as they are issued by a CA, as described under Certificates and keys in Identity Manager in the subsection "PKCS#10 requests - Temporary revoke a certificate right after P10-request".


RFC-5280 section 5.3.1 defines a number of reason codes for certificate revocations. As long as the CA you are using supports these, you can use them when revoking certificates. However, certificate states in Identity Manager are not limited to these states. In fact, several other states are used in different default Identity Manager packages. In the CA, these are mapped as follows:

  • Any reason defined in RFC-5280 is used without further mapping.
  • temporary.inactive is mapped to certificateHold.
  • active and valid are mapped to removeFromCRL.
  • inactive, locked, expired, replaced, retired and revoked are mapped to the state configured for rfc5280ReasonForInactiveAndLocked (defaults to unspecified).

Any other reason will throw an exception in order to prevent accidental certificate revocations because of a typo.

The following excerpt from system.properties demonstrates how to configure the mapping for rfc5280ReasonForInactiveAndLocked and which values can be used, depending on the CA you use. This applies for both docker and WAR file deployments.

Example: system.properties

CODE
########################
# override default RFC-5280 revocation reason name to map the following IDM cert states to:
# inactive/locked/expired/replaced/retired/revoked
#######
# CM - one of: unspecified (default), keyCompromise, affiliationChanged, superseded,
#             cessationOfOperation, privilegeWithdrawn
#
#integratedCMServiceFactory.rfc5280ReasonForInactiveAndLocked=unspecified
#####
# ADCS/MSCA - one of: unspecified (default), keyCompromise, cACompromise, affiliationChanged,
#                    superseded, cessationOfOperation
#
#proxyServiceFactory.rfc5280ReasonForInactiveAndLocked=unspecified
#####
# EJBCA - one of: unspecified (default), keyCompromise, cACompromise, affiliationChanged,
#                 superseded, cessationOfOperation, privilegeWithdrawn, aACompromise
#
#ejbcaServiceFactory.rfc5280ReasonForInactiveAndLocked=unspecified
####
# D-Trust - one of: unspecified (default), keyCompromise, cACompromise, affiliationChanged,
#            superseded, cessationOfOperation, privilegeWithdrawn, aACompromise
#
#integratedDtrustServiceFactory.rfc5280ReasonForInactiveAndLocked=unspecified
#####
# Idnomic OpenTrust - one of: unspecified (default), keyCompromise, cACompromise, affiliationChanged,
#            superseded, cessationOfOperation, privilegeWithdrawn (=> unspecified), aACompromise
#
#idnomicServiceFactory.rfc5280ReasonForInactiveAndLocked=unspecified
#####
# QuoVadis - one of: superseded (default), keyCompromise, affiliationChanged, cessationOfOperation
#
#quoVadisServiceFactory.rfc5280ReasonForInactiveAndLocked=superseded
#########################


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.