Revoking certificates: is it possible/useful to specify the reason of the revocation? is not talking about it

The ACME protocol seams to implement it:

Hi @tdelmas,

“Is it possible” - yes :slight_smile: As you mention the ACME revocation resource allows specifying a reason code. The important thing to note with respect to Let’s Encrypt is that Boulder only allows a subset of reason codes to be specified by the user.

“Is it useful” - I’m not personally sure what relying parties that check OCSP are likely to do with the revocation reason. I suspect not very much.

Thanks @cpu !

And it looks like it’s implemented by certbot, I guess it’s just not documented:

It’s not documented there:

Edit: It’s documented there:


It looks like while it isn’t documented in the usage section, it is documented in the command line flags section:

   --reason {keycompromise,affiliationchanged,superseded,unspecified,cessationofoperation}
                        Specify reason for revoking certificate. (default: 0)

@schoen @swartzcr Do you think the --reason flag should also be documented in the revocation usage part of the manual? I also wonder if the "(default: 0)" in the command line flags documentation should be written as "(default: keycompromise)" - I’m not sure what “0” maps to in this case.

Edit: oops! looks like you edited your answer right at the same time I was posting this :slight_smile: Jinx!

1 Like

I made a PR for this which should change what the listed default is and add a short section to the docs about it:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.