Revocation Reason Codes for TLS Server Certificates

<!DOCTYPE html> <html lang="en-US" dir="ltr" class="no-js"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="license" href="#license"> <link rel="profile" href="https://gmpg.org/xfn/11"> <link rel="shortcut icon" type="image/png" href="https://blog.mozilla.org/security/wp-content/themes/frontierline/img/favicon.png">   <meta name="title" content="Revocation Reason Codes for TLS Server Certificates – Mozilla Security Blog"> <meta property="og:site_name" content="Mozilla Security Blog"> <meta property="og:url" content="https://blog.mozilla.org/security/2022/05/16/revocation-reason-codes-for-tls-server-certificates"> <meta property="og:title" content="Revocation Reason Codes for TLS Server Certificates – Mozilla Security Blog"> <meta property="og:description" content="We are adding a requirement about which RFC 5280 Revocation Reason Codes must be used under certain circumstances, and requiring that CA operators provide their full CRL URLs in the CCADB."> <meta property="twitter:title" content="Revocation Reason Codes for TLS Server Certificates – Mozilla Security Blog"> <meta property="twitter:description" content="We are adding a requirement about which RFC 5280 Revocation Reason Codes must be used under certain circumstances, and requiring that CA operators provide their full CRL URLs in the CCADB."> <meta name="twitter:card" content="summary"> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <meta name="blog-name" content="Mozilla Security Blog" />  <title>Revocation Reason Codes for TLS Server Certificates - Mozilla Security Blog</title> <meta name="description" content="We are adding a requirement about which RFC 5280 Revocation Reason Codes must be used under certain circumstances, and requiring that CA operators provide their full CRL URLs in the CCADB." /> <link rel="canonical" href="https://blog.mozilla.org/security/2022/05/16/revocation-reason-codes-for-tls-server-certificates/" /> <meta name="twitter:label1" content="Written by" /> <meta name="twitter:data1" content="Kathleen Wilson" /> <meta name="twitter:label2" content="Est. reading time" /> <meta name="twitter:data2" content="4 minutes" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebPage","@id":"https://blog.mozilla.org/security/2022/05/16/revocation-reason-codes-for-tls-server-certificates/","url":"https://blog.mozilla.org/security/2022/05/16/revocation-reason-codes-for-tls-server-certificates/","name":"Revocation Reason Codes for TLS Server Certificates - Mozilla Security Blog","isPartOf":{"@id":"https://blog.mozilla.org/security/#website"},"datePublished":"2022-05-16T15:00:08+00:00","dateModified":"2022-05-16T16:04:57+00:00","author":{"@id":"https://blog.mozilla.org/security/#/schema/person/6dae079d5d4706973f9ecec70d983e1a"},"description":"We are adding a requirement about which RFC 5280 Revocation Reason Codes must be used under certain circumstances, and requiring that CA operators provide their full CRL URLs in the CCADB.","breadcrumb":{"@id":"https://blog.mozilla.org/security/2022/05/16/revocation-reason-codes-for-tls-server-certificates/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://blog.mozilla.org/security/2022/05/16/revocation-reason-codes-for-tls-server-certificates/"]}]},{"@type":"BreadcrumbList","@id":"https://blog.mozilla.org/security/2022/05/16/revocation-reason-codes-for-tls-server-certificates/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://blog.mozilla.org/security/"},{"@type":"ListItem","position":2,"name":"Revocation Reason Codes for TLS Server Certificates"}]},{"@type":"WebSite","@id":"https://blog.mozilla.org/security/#website","url":"https://blog.mozilla.org/security/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://blog.mozilla.org/security/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https://blog.mozilla.org/security/#/schema/person/6dae079d5d4706973f9ecec70d983e1a","name":"Kathleen Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://blog.mozilla.org/security/#/schema/person/image/8d4547801f543f8990aecbcfc9c18eca","url":"https://secure.gravatar.com/avatar/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","contentUrl":"https://secure.gravatar.com/avatar/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","caption":"Kathleen Wilson"}}]}</script>  <link rel="alternate" type="application/rss+xml" title="Mozilla Security Blog » Feed" href="https://blog.mozilla.org/security/feed/" /> <link rel="alternate" type="application/rss+xml" title="Mozilla Security Blog » Comments Feed" href="https://blog.mozilla.org/security/comments/feed/" /> <link rel='stylesheet' id='wp-block-library-css' href='https://blog.mozilla.org/security/wp-includes/css/dist/block-library/style.min.css?ver=6.3.5' type='text/css' media='all' /> <style id='co-authors-plus-coauthors-style-inline-css' type='text/css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css' type='text/css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css' type='text/css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='frontierline-parent-css' href='https://blog.mozilla.org/security/wp-content/themes/frontierline/style.css?ver=6.3.5' type='text/css' media='all' /> <link rel='stylesheet' id='frontierline-css' href='https://blog.mozilla.org/security/wp-content/themes/frontierline-firefox/style.css?ver=1686919482' type='text/css' media='all' /> <script type='text/javascript' src='https://blog.mozilla.org/wp-content/mu-plugins/mozilla-custom/ga-snippet.js?ver=.4' id='ga-snippet-js'></script> <script type='text/javascript' src='https://blog.mozilla.org/security/wp-includes/js/jquery/jquery.min.js?ver=3.7.0' id='jquery-core-js'></script> <script type='text/javascript' src='https://blog.mozilla.org/security/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1' id='jquery-migrate-js'></script> <link rel="https://api.w.org/" href="https://blog.mozilla.org/security/wp-json/" /><link rel="alternate" type="application/json" href="https://blog.mozilla.org/security/wp-json/wp/v2/posts/2843" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://blog.mozilla.org/security/xmlrpc.php?rsd" /> <link rel='shortlink' href='https://blog.mozilla.org/security/?p=2843' /> <link rel="alternate" type="application/json+oembed" href="https://blog.mozilla.org/security/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.mozilla.org%2Fsecurity%2F2022%2F05%2F16%2Frevocation-reason-codes-for-tls-server-certificates%2F" /> <link rel="alternate" type="text/xml+oembed" href="https://blog.mozilla.org/security/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.mozilla.org%2Fsecurity%2F2022%2F05%2F16%2Frevocation-reason-codes-for-tls-server-certificates%2F&format=xml" /> </head> <body class="post-template-default single single-post postid-2843 single-format-standard color-scheme-none pattern-none" data-blogname="Mozilla Security Blog"> <nav id="nav-global" class="nav-global can-stick"> <div class="content"> <div class="logo"><a href="https://www.mozilla.org/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external" title="Visit mozilla.org">Mozilla</a></div> <div class="nav-mozilla"> <span class="toggle" role="button" aria-controls="nav-mozilla-menu" aria-expanded="false" tabindex="0">Menu</span> <ul class="nav-mozilla-menu" id="nav-mozilla-menu"> <li class="nav-global-health"><a href="https://www.mozilla.org/about/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external">About Mozilla</a></li> <li class="nav-global-tech"><a href="https://www.mozilla.org/firefox/products/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external">Products</a></li> <li class="nav-global-donate"><a href="https://donate.mozilla.org/?presets=50,30,20,10&amount=30&currency=usd&utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external">Give</a></li> <li class="nav-global-firefox"><a href="https://www.mozilla.org/firefox/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external">Discover Firefox</a></li> </ul> </div> </div> </nav> <header id="masthead" class="section"> <div class="site-id"> <div class="site-title-wrap content"> <a href="https://blog.mozilla.org/security/" rel="home" title="Go to the front page"> <h4 id="site-title"><span>Mozilla Security Blog</span></h4> </a> </div> </div> </header> <div class="site-wrap"> <nav id="nav-util" class="can-stick "> <ul class="content"> <li class="nav-util-search"> <form id="search" class="fm-search" method="get" action="https://blog.mozilla.org/security/"> <fieldset> <p> <label for="s">Search this site</label> <input type="search" value="" name="s" id="s"> <button type="submit" class="button button-minor">Search</button> </p> </fieldset> </form> </li> </ul> </nav> <main id="content"> <div class="content"> <article id="post-2843" class="post post-2843 type-post status-publish format-standard hentry category-ca-program category-security tag-certificate-authority tag-privacy tag-security"> <header class="entry-header"> <div class="entry-tools"> <div class="categories"> <b>Categories:</b> <a href="https://blog.mozilla.org/security/category/ca-program/" rel="category tag">CA Program</a> <a href="https://blog.mozilla.org/security/category/security/" rel="category tag">Security</a> </div> </div> <h1 class="entry-title"> Revocation Reason Codes for TLS Server Certificates </h1> <div class="entry-info"> <address class="vcard"> Kathleen Wilson </address> <time class="date published" datetime="2022-05-16T08:00:08-07:00">May 16, 2022</time> </div> </header> <div class="entry-content"> <p>In our continued efforts to improve the security of the web PKI, we are taking a multi-pronged approach to tackling some <a href="https://www.imperialviolet.org/2011/03/18/revocation.html">long-existing problems</a> with revocation of TLS server certificates. In addition to our ongoing <a href="https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/">CRLite work</a>, we added new requirements to version 2.8 of <a href="https://www.mozilla.org/projects/security/certs/policy/">Mozilla’s Root Store Policy</a> that will enable Firefox to depend on revocation reason codes being used consistently, so they can be relied on when verifying the validity of certificates during TLS connections. We also added a new requirement that CA operators <a href="https://www.mozilla.org/projects/security/certs/policy#41-additional-requirements">provide their full CRL URLs</a> in the <a href="https://www.ccadb.org/">CCADB</a>. This will enable Firefox to pre-load more complete certificate revocation data, eliminating dependency on the infrastructure of CAs during the certificate verification part of establishing TLS connections. The combination of these two new sets of requirements will further enable Firefox to enforce revocation checking of TLS server certificates, which makes TLS connections even more secure.</p> <h2>Previous Policy Updates</h2> <p>Significant improvements have already been made in the web PKI, including the following changes to <a href="https://www.mozilla.org/projects/security/certs/policy/">Mozilla’s Root Store Policy</a> and the <a href="https://cabforum.org/baseline-requirements-documents/">CA/Browser Forum Baseline Requirements (BRs)</a>, which reduced risks associated with exposure of the private keys of TLS certificates by reducing the amount of time that the exposure can exist.</p> <ul> <li>TLS server certificates issued on or after 1 September 2020 MUST NOT have a Validity Period greater than 398 days.</li> <li>For TLS server certificates issued on or after October 1, 2021, each dNSName or IPAddress in the certificate MUST have been validated within the prior 398 days.</li> </ul> <p>Under those provisions, the maximum validity period and maximum re-use of domain validation for TLS certificates roughly corresponds to the typical period of time for owning a domain name; i.e. one year. This reduces the risk of potential exposure of the private key of each TLS certificate that is revoked, replaced, or no longer needed by the original certificate subscriber.</p> <h2>New Requirements</h2> <p>In version 2.8 of <a href="https://www.mozilla.org/projects/security/certs/policy/">Mozilla’s Root Store Policy</a> we added requirements stating that:</p> <ol> <li>Specific <a href="https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.1">RFC 5280 Revocation Reason Codes</a> must be used under certain circumstances; and</li> <li>CA operators must <a href="https://www.mozilla.org/projects/security/certs/policy#41-additional-requirements">provide their full CRL URLs</a> in the Common CA Database (<a href="https://www.ccadb.org/">CCADB</a>).</li> </ol> <p>These new requirements will provide a complete accounting of all revoked TLS server certificates. This will enable Firefox to pre-load more complete certificate revocation data, eliminating the need for it to query CAs for revocation information when <a href="https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification">establishing TLS connections</a>.</p> <p>The new <a href="https://www.mozilla.org/projects/security/certs/policy#611-end-entity-tls-certificate-crlrevocation-reasons">requirements about revocation reason codes</a> account for the situations that can happen at any time during the certificate’s validity period, and address the following problems:</p> <ul> <li>There were no policies specifying which revocation reason codes should be used and under which circumstances.</li> <li>Some CAs were not using revocation reason codes at all for TLS server certificates.</li> <li>Some CAs were using the same revocation reason code for every revocation.</li> <li>There were no policies specifying the information that CAs should provide to their certificate subscribers about revocation reason codes.</li> </ul> <h3>Revocation Reason Codes</h3> <p>Section 6.1.1 of version 2.8 of <a href="https://www.mozilla.org/projects/security/certs/policy/">Mozilla’s Root Store Policy</a> states that when a TLS server certificate is revoked for one of the following reasons the corresponding entry in the CRL must include the revocation reason code:</p> <ul> <li>keyCompromise (<a href="https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.1">RFC 5280 Reason Code</a> #1) <ul> <li>The certificate subscriber must choose the “keyCompromise” revocation reason code when they have reason to believe that the private key of their certificate has been compromised, e.g., an unauthorized person has had access to the private key of their certificate.</li> </ul> </li> <li>affiliationChanged (RFC 5280 Reason Code #3) <ul> <li>The certificate subscriber should choose the “affiliationChanged” revocation reason code when their organization’s name or other organizational information in the certificate has changed.</li> </ul> </li> <li>superseded (RFC 5280 Reason Code #4) <ul> <li>The certificate subscriber should choose the “superseded” revocation reason code when they request a new certificate to replace their existing certificate.</li> </ul> </li> <li>cessationOfOperation (RFC 5280 Reason Code #5) <ul> <li>The certificate subscriber should choose the “cessationOfOperation” revocation reason code when they no longer own all of the domain names in the certificate or when they will no longer be using the certificate because they are discontinuing their website.</li> </ul> </li> <li>privilegeWithdrawn (RFC 5280 Reason Code #9) <ul> <li>The CA will specify the “privilegeWithdrawn” revocation reason code when they obtain evidence that the certificate was misused or the certificate subscriber has violated one or more material obligations under the subscriber agreement or terms of use.</li> </ul> </li> </ul> <p><a href="https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.1">RFC 5280 Reason Codes</a> that are not listed above shall not be specified in the CRL for TLS server certificates, for reasons explained in the <a href="https://wiki.mozilla.org/CA/Revocation_Reasons#Banned_Revocation_Reasons">wiki page</a>.</p> <h2>Conclusion</h2> <p>These new requirements are important steps towards improving the security of the web PKI, and are part of our effort to resolve long-existing problems with revocation of TLS server certificates. The requirements about revocation reason codes will enable Firefox to depend on revocation reason codes being used consistently, so they can be relied on when verifying the validity of certificates during TLS connections. The requirement that CA operators provide their full CRL URLs in the CCADB will enable Firefox to pre-load more complete certificate revocation data, eliminating dependency on the infrastructure of CAs during the certificate verification part of establishing TLS connections. The combination of these two new sets of requirements will further enable Firefox to enforce revocation checking of TLS server certificates, which makes TLS connections even more secure.</p> </div> <footer class="entry-tags"> <p><b>Tags:</b> <a href="https://blog.mozilla.org/security/tag/certificate-authority/" rel="tag">certificate authority</a>, <a href="https://blog.mozilla.org/security/tag/privacy/" rel="tag">Privacy</a>, <a href="https://blog.mozilla.org/security/tag/security/" rel="tag">Security</a></p> </footer> <footer class="fx-footer"> <h4>Browse fast. Browse free.</h4> <p><a href="https://www.mozilla.org/firefox/new/?utm_source=blog.mozilla.org&utm_campaign=firefox_frontier&utm_medium=referral" rel="external" class="button button-product">Download Firefox</a></p> </footer> </article> </div> <nav id="adjacent-posts" class="section nav-paging"> <div class="content"> <p class="nav-paging-prev" role="navigation"> <a href="https://blog.mozilla.org/security/2021/12/15/preventing-secrets-from-leaking-through-clipboard/"> <span class="label">Previous article</span> <strong class="entry-title">Preventing secrets from leaking through Clipboard</strong> <time class="date" datetime="2021-12-15T01:53:07-08:00">December 15, 2021</time> <svg class="arrow-left" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 23.62 43"><defs><style>.cls-1{fill:none;stroke:#000;stroke-linecap:round;stroke-miterlimit:10;stroke-width:3px;}</style></defs><polyline class="cls-1" points="22.12 1.5 2.12 21.5 22.12 41.5"/></svg> </a> </p> <p class="nav-paging-next" role="navigation"> <a href="https://blog.mozilla.org/security/2022/05/23/upgrading-mrsp-to-v-2-8/"> <span class="label">Next article</span> <strong class="entry-title">Upgrading Mozilla’s Root Store Policy to Version 2.8</strong> <time class="date" datetime="2022-05-23T00:01:47-07:00">May 23, 2022</time> <svg class="arrow-right" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 23.62 43"><defs><style>.cls-1{fill:none;stroke:#000;stroke-linecap:round;stroke-miterlimit:10;stroke-width:3px;}</style></defs><polyline class="cls-1" points="1.5 1.5 21.5 21.5 1.5 41.5"/></svg> </a> </p> </div> </nav> <aside id="related-posts" class="section"> <div class="content"> <div class="in-category"> <h4 class="module-title">More articles in “CA Program”</h4> <ul class="cat-posts"> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2023/09/13/version-2-9-of-the-mozilla-root-store-policy/">Version 2.9 of the Mozilla Root Store Policy</a></h5> <time class="date" datetime="2023-09-13T10:56:32-07:00">September 13, 2023</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2022/05/23/upgrading-mrsp-to-v-2-8/">Upgrading Mozilla’s Root Store Policy to Version 2.8</a></h5> <time class="date" datetime="2022-05-23T00:01:47-07:00">May 23, 2022</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2021/12/09/improved-quality-of-intermediate-certificates-with-enhanced-oversight-and-automation/">Improving the Quality of Publicly Trusted Intermediate CA Certificates with Enhanced Oversight and Automation</a></h5> <time class="date" datetime="2021-12-09T08:00:50-08:00">December 9, 2021</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2021/04/26/mrsp-v-2-7-1/">Upgrading Mozilla’s Root Store Policy to Version 2.7.1</a></h5> <time class="date" datetime="2021-04-26T12:00:45-07:00">April 26, 2021</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/">Reducing TLS Certificate Lifespans to 398 Days</a></h5> <time class="date" datetime="2020-07-09T08:00:18-07:00">July 9, 2020</time> </li> </ul> </div> <div class="popular"> <h4 class="module-title">Recent articles</h4> <ul class="recent-posts"> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2024/10/11/behind-the-scenes-fixing-an-in-the-wild-firefox-exploit/">Behind the Scenes: Fixing an In-the-Wild Firefox Exploit</a></h5> <time class="date" datetime="2024-10-11T05:14:24-07:00">October 11, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2024/06/05/firefox-will-upgrade-more-mixed-content-in-version-127/">Firefox will upgrade more Mixed Content in Version 127</a></h5> <time class="date" datetime="2024-06-05T06:05:31-07:00">June 5, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2024/04/04/rapidly-leveling-up-firefox-security/">Rapidly Leveling up Firefox Security</a></h5> <time class="date" datetime="2024-04-04T12:27:41-07:00">April 4, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2023/12/06/mozilla-vpn-security-audit-2023/">Mozilla VPN Security Audit 2023</a></h5> <time class="date" datetime="2023-12-06T09:00:37-08:00">December 6, 2023</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2023/09/13/version-2-9-of-the-mozilla-root-store-policy/">Version 2.9 of the Mozilla Root Store Policy</a></h5> <time class="date" datetime="2023-09-13T10:56:32-07:00">September 13, 2023</time> </li> </ul> </div> </div> </aside> <aside id="newsletter-subscribe" class="section newsletter-firefox"> <form id="newsletter_form" class="content newsletter_form" name="newsletter_form" action="https://www.mozilla.org/en-US/newsletter/" method="post" data-blog="Mozilla Security Blog"> <input type="hidden" id="newsletters" name="newsletters" value="mozilla-and-you"> <input type="hidden" id="source_url" name="source_url" value="https://blog.mozilla.org/security/2022/05/16/revocation-reason-codes-for-tls-server-certificates"> <div class="form-title"> <h3>Keep up with<br> all things Firefox.</h3> </div> <div id="form-contents" class="form-contents"> <div id="newsletter_errors" class="newsletter_errors"></div> <div class="field field-email"> <label for="email">Your e-mail address</label> <input type="email" id="email" name="email" required placeholder="yourname@example.com" size="30"> </div> <div class="form-details"> <div class="field field-country"> <label for="country">Country</label> <select id="country" name="country" required="required"> <option value="" selected="selected">- select -</option> <option value="af">Afghanistan</option> <option value="qz">Akrotiri</option> <option value="al">Albania</option> <option value="dz">Algeria</option> <option value="as">American Samoa</option> <option value="ad">Andorra</option> <option value="ao">Angola</option> <option value="ai">Anguilla</option> <option value="aq">Antarctica</option> <option value="ag">Antigua and Barbuda</option> <option value="ar">Argentina</option> <option value="am">Armenia</option> <option value="aw">Aruba</option> <option value="xa">Ashmore and Cartier Islands</option> <option value="au">Australia</option> <option value="at">Austria</option> <option value="az">Azerbaijan</option> <option value="bs">Bahamas, The</option> <option value="bh">Bahrain</option> <option value="xb">Baker Island</option> <option value="bd">Bangladesh</option> <option value="bb">Barbados</option> <option value="qs">Bassas da India</option> <option value="by">Belarus</option> <option value="be">Belgium</option> <option value="bz">Belize</option> <option value="bj">Benin</option> <option value="bm">Bermuda</option> <option value="bt">Bhutan</option> <option value="bo">Bolivia</option> <option value="bq">Bonaire, Sint Eustatius, and Saba</option> <option value="ba">Bosnia and Herzegovina</option> <option value="bw">Botswana</option> <option value="bv">Bouvet Island</option> <option value="br">Brazil</option> <option value="io">British Indian Ocean Territory</option> <option value="bn">Brunei</option> <option value="bg">Bulgaria</option> <option value="bf">Burkina Faso</option> <option value="mm">Burma</option> <option value="bi">Burundi</option> <option value="cv">Cabo Verde</option> <option value="kh">Cambodia</option> <option value="cm">Cameroon</option> <option value="ca">Canada</option> <option value="ky">Cayman Islands</option> <option value="cf">Central African Republic</option> <option value="td">Chad</option> <option value="cl">Chile</option> <option value="cn">China</option> <option value="cx">Christmas Island</option> <option value="cp">Clipperton Island</option> <option value="cc">Cocos (Keeling) Islands</option> <option value="co">Colombia</option> <option value="km">Comoros</option> <option value="cg">Congo (Brazzaville)</option> <option value="cd">Congo (Kinshasa)</option> <option value="ck">Cook Islands</option> <option value="xc">Coral Sea Islands</option> <option value="cr">Costa Rica</option> <option value="hr">Croatia</option> <option value="cu">Cuba</option> <option value="cw">Curaçao</option> <option value="cy">Cyprus</option> <option value="cz">Czech Republic</option> <option value="ci">Côte d’Ivoire</option> <option value="dk">Denmark</option> <option value="xd">Dhekelia</option> <option value="dg">Diego Garcia</option> <option value="dj">Djibouti</option> <option value="dm">Dominica</option> <option value="do">Dominican Republic</option> <option value="ec">Ecuador</option> <option value="eg">Egypt</option> <option value="sv">El Salvador</option> <option value="gq">Equatorial Guinea</option> <option value="er">Eritrea</option> <option value="ee">Estonia</option> <option value="et">Ethiopia</option> <option value="xe">Europa Island</option> <option value="fk">Falkland Islands (Islas Malvinas)</option> <option value="fo">Faroe Islands</option> <option value="fj">Fiji</option> <option value="fi">Finland</option> <option value="fr">France</option> <option value="gf">French Guiana</option> <option value="pf">French Polynesia</option> <option value="tf">French Southern and Antarctic Lands</option> <option value="ga">Gabon</option> <option value="gm">Gambia, The</option> <option value="xg">Gaza Strip</option> <option value="ge">Georgia</option> <option value="de">Germany</option> <option value="gh">Ghana</option> <option value="gi">Gibraltar</option> <option value="qx">Glorioso Islands</option> <option value="gr">Greece</option> <option value="gl">Greenland</option> <option value="gd">Grenada</option> <option value="gp">Guadeloupe</option> <option value="gu">Guam</option> <option value="gt">Guatemala</option> <option value="gg">Guernsey</option> <option value="gn">Guinea</option> <option value="gw">Guinea-Bissau</option> <option value="gy">Guyana</option> <option value="ht">Haiti</option> <option value="hm">Heard Island and McDonald Islands</option> <option value="hn">Honduras</option> <option value="hk">Hong Kong</option> <option value="xh">Howland Island</option> <option value="hu">Hungary</option> <option value="is">Iceland</option> <option value="in">India</option> <option value="id">Indonesia</option> <option value="ir">Iran</option> <option value="iq">Iraq</option> <option value="ie">Ireland</option> <option value="im">Isle of Man</option> <option value="il">Israel</option> <option value="it">Italy</option> <option value="jm">Jamaica</option> <option value="xj">Jan Mayen</option> <option value="jp">Japan</option> <option value="xq">Jarvis Island</option> <option value="je">Jersey</option> <option value="xu">Johnston Atoll</option> <option value="jo">Jordan</option> <option value="qu">Juan de Nova Island</option> <option value="kz">Kazakhstan</option> <option value="ke">Kenya</option> <option value="xm">Kingman Reef</option> <option value="ki">Kiribati</option> <option value="kp">Korea, North</option> <option value="kr">Korea, South</option> <option value="xk">Kosovo</option> <option value="kw">Kuwait</option> <option value="kg">Kyrgyzstan</option> <option value="la">Laos</option> <option value="lv">Latvia</option> <option value="lb">Lebanon</option> <option value="ls">Lesotho</option> <option value="lr">Liberia</option> <option value="ly">Libya</option> <option value="li">Liechtenstein</option> <option value="lt">Lithuania</option> <option value="lu">Luxembourg</option> <option value="mo">Macau</option> <option value="mk">Macedonia</option> <option value="mg">Madagascar</option> <option value="mw">Malawi</option> <option value="my">Malaysia</option> <option value="mv">Maldives</option> <option value="ml">Mali</option> <option value="mt">Malta</option> <option value="mh">Marshall Islands</option> <option value="mq">Martinique</option> <option value="mr">Mauritania</option> <option value="mu">Mauritius</option> <option value="yt">Mayotte</option> <option value="mx">Mexico</option> <option value="fm">Micronesia, Federated States of</option> <option value="qm">Midway Islands</option> <option value="md">Moldova</option> <option value="mc">Monaco</option> <option value="mn">Mongolia</option> <option value="me">Montenegro</option> <option value="ms">Montserrat</option> <option value="ma">Morocco</option> <option value="mz">Mozambique</option> <option value="na">Namibia</option> <option value="nr">Nauru</option> <option value="xv">Navassa Island</option> <option value="np">Nepal</option> <option value="nl">Netherlands</option> <option value="nc">New Caledonia</option> <option value="nz">New Zealand</option> <option value="ni">Nicaragua</option> <option value="ne">Niger</option> <option value="ng">Nigeria</option> <option value="nu">Niue</option> <option value="nf">Norfolk Island</option> <option value="mp">Northern Mariana Islands</option> <option value="no">Norway</option> <option value="om">Oman</option> <option value="pk">Pakistan</option> <option value="pw">Palau</option> <option value="xl">Palmyra Atoll</option> <option value="pa">Panama</option> <option value="pg">Papua New Guinea</option> <option value="xp">Paracel Islands</option> <option value="py">Paraguay</option> <option value="pe">Peru</option> <option value="ph">Philippines</option> <option value="pn">Pitcairn Islands</option> <option value="pl">Poland</option> <option value="pt">Portugal</option> <option value="pr">Puerto Rico</option> <option value="qa">Qatar</option> <option value="re">Reunion</option> <option value="ro">Romania</option> <option value="ru">Russia</option> <option value="rw">Rwanda</option> <option value="bl">Saint Barthelemy</option> <option value="sh">Saint Helena, Ascension, and Tristan da Cunha</option> <option value="kn">Saint Kitts and Nevis</option> <option value="lc">Saint Lucia</option> <option value="mf">Saint Martin</option> <option value="pm">Saint Pierre and Miquelon</option> <option value="vc">Saint Vincent and the Grenadines</option> <option value="ws">Samoa</option> <option value="sm">San Marino</option> <option value="st">Sao Tome and Principe</option> <option value="sa">Saudi Arabia</option> <option value="sn">Senegal</option> <option value="rs">Serbia</option> <option value="sc">Seychelles</option> <option value="sl">Sierra Leone</option> <option value="sg">Singapore</option> <option value="sx">Sint Maarten</option> <option value="sk">Slovakia</option> <option value="si">Slovenia</option> <option value="sb">Solomon Islands</option> <option value="so">Somalia</option> <option value="za">South Africa</option> <option value="gs">South Georgia and South Sandwich Islands</option> <option value="ss">South Sudan</option> <option value="es">Spain</option> <option value="xs">Spratly Islands</option> <option value="lk">Sri Lanka</option> <option value="sd">Sudan</option> <option value="sr">Suriname</option> <option value="xr">Svalbard</option> <option value="sz">Swaziland</option> <option value="se">Sweden</option> <option value="ch">Switzerland</option> <option value="sy">Syria</option> <option value="tw">Taiwan</option> <option value="tj">Tajikistan</option> <option value="tz">Tanzania</option> <option value="th">Thailand</option> <option value="tl">Timor-Leste</option> <option value="tg">Togo</option> <option value="tk">Tokelau</option> <option value="to">Tonga</option> <option value="tt">Trinidad and Tobago</option> <option value="xt">Tromelin Island</option> <option value="tn">Tunisia</option> <option value="tr">Turkey</option> <option value="tm">Turkmenistan</option> <option value="tc">Turks and Caicos Islands</option> <option value="tv">Tuvalu</option> <option value="ug">Uganda</option> <option value="ua">Ukraine</option> <option value="ae">United Arab Emirates</option> <option value="gb">United Kingdom</option> <option value="us">United States</option> <option value="uy">Uruguay</option> <option value="uz">Uzbekistan</option> <option value="vu">Vanuatu</option> <option value="va">Vatican City</option> <option value="ve">Venezuela</option> <option value="vn">Vietnam</option> <option value="vg">Virgin Islands, British</option> <option value="vi">Virgin Islands, U.S.</option> <option value="qw">Wake Island</option> <option value="wf">Wallis and Futuna</option> <option value="xw">West Bank</option> <option value="eh">Western Sahara</option> <option value="ye">Yemen</option> <option value="zm">Zambia</option> <option value="zw">Zimbabwe</option> </select> </div> <div class="field field-language"> <label for="lang">Language</label> <select id="lang" name="lang" required="required"> <option value="id">Bahasa Indonesia</option> <option value="de">Deutsch</option> <option value="en" selected="selected">English</option> <option value="es">Español</option> <option value="fr">Français</option> <option value="pl">Polski</option> <option value="pt">Português</option> <option value="ru">Русский</option> <option value="zh-TW">正體中文</option> </select> </div> <div class="field field-format"> <label for="format-h"><input checked="checked" id="format-h" name="fmt" value="H" type="radio"> HTML</label> <label for="format-t"><input id="format-t" name="fmt" value="T" type="radio"> Text</label> </div> <div class="field field-privacy"> <label for="privacy"> <input type="checkbox" id="privacy" name="privacy" required> I’m okay with Mozilla handling my info as explained in this <a href="https://www.mozilla.org/privacy/">Privacy Policy</a>. </label> </div> </div> <div class="form-submit"> <button id="newsletter_submit" type="submit" class="form-button button-light">Sign up now</button> <p class="form-details promise"> <small>We will only send you Mozilla-related information.</small> </p> </div> </div> <div id="newsletter_thanks" class="thanks"> <h2>Thanks!</h2> <p> If you haven’t previously confirmed a subscription to a Mozilla-related newsletter you may have to do so. Please check your inbox or your spam filter for an e-mail from us. </p> </div> </form> </aside> </main> <aside id="sidebar" class="section widgets can-stick"> <div class="content"> </div> </aside> </div> <footer id="site-info" class="section"> <div class="content"> <nav class="primary"> <div class="logo"> <a href="https://www.mozilla.org/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mozilla">Mozilla</a> </div> <section class="mozilla"> <h5><a href="https://www.mozilla.org/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mozilla">Mozilla</a></h5> <ul class="mozilla-links"> <li><a href="https://www.mozilla.org/about/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="About">About</a></li> <li><a href="https://www.mozilla.org/contact/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Contact Us">Contact Us</a></li> <li><a href="https://donate.mozilla.org/?presets=50,30,20,10&amount=30&currency=usd&utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" class="donate" data-link-type="footer" data-link-name="Donate">Donate</a></li> <li> <ul class="social-links"> <li><a class="twitter" href="https://twitter.com/mozilla" data-link-type="footer" data-link-name="Twitter (@mozilla)">Twitter<span> (@mozilla)</span></a></li> <li><a class="instagram" href="https://www.instagram.com/mozillagram/" data-link-type="footer" data-link-name="Instagram (@mozillagram)">Instagram<span> (@mozillagram)</span></a></li> </ul> </li> </ul> </section> <section class="firefox"> <h5><a href="https://www.mozilla.org/firefox/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mozilla">Firefox</a></h5> <ul class="firefox-links"> <li><a href="https://www.mozilla.org/firefox/new/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Download Firefox">Download Firefox</a></li> <li><a href="https://www.mozilla.org/firefox/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Desktop">Desktop</a></li> <li><a href="https://www.mozilla.org/firefox/mobile/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mobile">Mobile</a></li> <li><a href="https://www.mozilla.org/firefox/features/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Features">Features</a></li> <li><a href="https://www.mozilla.org/firefox/channel/desktop/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Beta, Nightly, Developer Edition">Beta, Nightly, Developer Edition</a></li> <li> <ul class="social-links"> <li><a class="twitter" href="https://twitter.com/firefox" data-link-type="footer" data-link-name="Twitter (@firefox)">Twitter<span> (@firefox)</span></a></li> <li><a class="youtube" href="https://www.youtube.com/firefoxchannel" data-link-type="footer" data-link-name="YouTube (firefoxchannel)">YouTube<span> (firefoxchannel)</span></a></li> </ul> </li> </ul> </section> </nav> <nav class="secondary"> <div class="small-links"> <ul> <li><a rel="nofollow" href="https://www.mozilla.org/privacy/" data-link-type="footer" data-link-name="Privacy">Website Privacy Notice</a></li> <li><a rel="nofollow" href="https://www.mozilla.org/privacy/websites/#cookies" data-link-type="footer" data-link-name="Cookies">Cookies</a></li> <li><a rel="nofollow" href="https://www.mozilla.org/about/legal/" data-link-type="footer" data-link-name="Legal">Legal</a></li> </ul> <p class="license"> Visit Mozilla Corporation’s not-for-profit parent, the <a href="https://foundation.mozilla.org" data-link-type="footer" data-link-name="Mozilla Foundation">Mozilla Foundation</a>. </p> <p class="license"> Portions of this content are ©1998-2025 by individual contributors. Content available under a <a href="https://www.mozilla.org/foundation/licensing/website-content/" rel="external license">Creative Commons license</a>. </p> </div> </nav> </div> </footer>  <script type='text/javascript' src='https://blog.mozilla.org/security/wp-content/themes/frontierline/js/global.js?ver=2.2' id='global-js'></script> <script type='text/javascript' src='https://blog.mozilla.org/security/wp-content/themes/frontierline/js/basket-client.js?ver=1.2' id='basket-client-js'></script> </body> </html>

CINXE.COM

Revocation Reason Codes for TLS Server Certificates - Mozilla Security Blog