If the private key of a SSL server certificate is lost or stolen the certificate must be revoked immediately. More commonly, all SSL certificates which are still valid but are no longer used or required must also be revoked by the Certificate Holder.

Every Certificate Authority manages their own certificate revocation lists (CRL) which are published showing the SSL certificates that should no longer be trusted. This enables web browsers in turn to warn users that a certificates used to secure a particular web service cannot be trusted and therefore the user should not proceed.

Authorised users of the JCS web app can revoke certificates directly through their organisation's Certificate Service account, using the following steps:

1. Log in to the JCS web app;

2. Click on the down arrow next to the 'JCS Account' tab and select 'View All Certificates';

3. Find the certificate in question and click on the spanner icon relating to that certificate, found on the right side of the page, chosing 'Revoke Certificate';

4. Enter the reason why the certificate is being revoked and press green 'Revoke' button;

5. The certificate is now revoked and cannot be compromised or used by another party without users encountering errors.

According to RFC 5280 (page 69) there are 10 reasons for revoking a certificate:

• unspecified (0)
• keyCompromise (1)
• CACompromise (2)
• affiliationChanged (3)
• superseded (4)
• cessationOfOperation (5)
• certificateHold (6)
• (value 7 is not used)
• removeFromCRL (8)
• privilegeWithdrawn (9)
• AACompromise (10)

If you would like more information on revocation please contact the Janet Service Desk at service@ja.net, or telephone 0300 300 2212.