The CA will revoke a Certificate after receiving a valid revocation request from an RA operating under such CA.
Circumstances for Revocation
Revocation of CA Certificates may be performed by Entrust in the following circumstances.
- The RA requests for an Issuing Certificate to be revoked;
- The RA can be shown to have violated, or is suspected of violating, the requirements of this CPS or the Agreement;
- There is a suspected compromise of the associated private key; or
- When the Agreement with Entrust is terminated.
Revocation of Subscriber Certificates is to be performed when the RA requests for a Subscriber Certificate to be revoked.
Who can Request Revocation of a Certificate
The RA may request revocation of any Certificates issued.
It is the responsibility of the RA to handle Subscriber requests for Certificate revocation.
Procedure for Revocation Request
The RA shall request revocation of their Issuing CA Certificate, or of an individual Subscriber Certificate if the RA has a suspicion or knowledge of or a reasonable basis for believing that of any of the following events have occurred:
- Compromise of the Certificates Private Key;
- Knowledge that the original Certificate request was not authorized
The RA shall submit revocation requests to the CA via authenticated API.
Certificate Revocation Grace Period
CAs to not apply any grace period. Revocation requests are processed synchronously in sequence with the API request and response.
Time Within Which CA Must Process The Revocation Request
CAs will revoke Certificates upon receipt of a proper revocation request.
Revocation Checking Requirement for Relying Parties
It is recommended that Relying Parties implement revocation checking. The matter of how often new revocation data should be obtained is a determination to be made by the Relying Party, considering the risk, responsibility, and consequences for using a Certificate whose revocation status cannot be guaranteed.
Revocation Lists Issuance Frequency
CRLs are generated every 24 hours and are valid for 7 days.
The revocation request of a certificate can set an instant CRL update flag. In this case a new CRL will be generated containing the revoked certificate in the requests as soon as possible, depending on the service load. In a normal load the CRL will be generated in less than 15 minutes.
Maximum Latency for CRLs
CRLs are available within seconds of issuance. No delay is imposed between the issuance and publication of CRLs for caching or any other purpose.
On-line Revocation/Status Checking Availability
On-line revocation/status checking of Certificates is available on a continuous basis by CRL and optionally OCSP.
On-line Revocation Checking Requirements
CAs support an OCSP capability using the GET and POST methods for Certificates issued in accordance with this CPS.
The CAs shall sign and make available OCSP as follows:
- OCSP responses for Issuing CA Certificates are issued upon request.
- OCSP responses for Subscriber Certificates are issued upon request.
If the OCSP responder receives a request for status of a Certificate serial number that is "unused", then the responder will not respond with a "good" status.
The on-line locations of the CRL and the OCSP response are included in the Certificate to support software applications that perform automatic Certificate status checking.
Other Forms of Revocation Advertisements Available
The CA does not provide any other forms of Certificate status.
Special Requirements re: Key Compromise
If an RA suspects, knows, or is informed of Private Key compromise, then the RA is required to take necessary steps to revoke the Certificate, immediately stop using such Certificate, and remove such Certificate from any devices and/or software in which such Certificate has been installed.
Circumstances for Suspension
Suspension of Certificates is to be performed when the RA requests for a Certificate to be suspended.
Who Can Request Suspension
The RA may request suspension of any Certificates issued.
It is the responsibility of the RA to handle requests for Certificate suspension.
Procedure for Suspension Request
The RA shall submit suspension requests to the CA via authenticated API.
Limits on Suspension Period
There is no time limit on suspension.