2.5.3.2.3 Revoke a Certificate

Goal: To revoke a previously issued certificate and to publish a list of revoked certificates.

Context of Use: In the event that a previously issued certificate has to be invalidated for any number of different reasons, such as a compromise, the CA administrator can revoke the certificate and include this certificate within a CRL that can be referenced by any entity consuming the certificate and attempting to validate it.

Direct Actor: The direct actor is the CA administrator.

Primary Actor: The primary actor is the same as the direct actor.

Supporting Actors: There are no supporting actors in this use case.

Stakeholders and Interests:

  • The primary interest of the CA administrator is to ensure that the certificate is revoked and a new CRL is published.

  • The primary interest of the end entity is the assurance that the revoked certificate referencing them are no longer valid.

    Other applications and system administrators might rely upon or use the end entity's certificate for a variety of purposes, for assurance that certificates are valid for their intended purpose.

Preconditions:

  • The CA has previously issued a certificate.

  • The CA administrator can provide the serial number of the certificate that is to be revoked.

Minimal Guarantee: The minimal guarantee is that the CA administrator receives an error message that explains why the revocation of the certificate failed.

Success Guarantee: The CA system guarantees that a certificate is revoked and added to a CRL.

Trigger: The CA administrator requests a certificate revocation.

Main Success Scenario:

  1. When the trigger occurs, the CA revokes the certificate.

  2. The CA administrator then invokes the CA to create and publish the CRL, so the revoked status can be discovered by interested parties.

Extensions: None.

Post-conditions: Upon successful completion of the use case, the certificate is revoked and a new CRL is published with the latest information about the status of the certificate.