Name

OpenXPKI::Server::Workflow::Activity::CRR::PersistRequest

Description

persists the Certificate Revocation Request into the database, so that it can then be used by the CRL issuance workflow. If the certificate is not in ISSUED state or has already revocation details set, the activity will throw an exception if the requested details do not match the already present data. This can be relaxed by the enforce parameter

Activity Parameters

By default, those values are read from the context items with the same name. It a key with this name exists in the activity definition, it has precedence over the context value. If a given key has an empty value, the context is not used as fallback.

cert_identifier
reason_code: Must be one of the supported openssl reason codes, default is unspecified
invalidity_time: Epoch to be set as "key compromise time", the default backend uses this only when reason_code is set to keyCompromise.
hold_code: Hold code for revocation reason "onHold" (not supported by the default backend).
revocation_time: Set revocation_time, default is "now". This parameter must be passed as activity param and has no fallback to the context.
enforce (all|reason_code|none): The default mode depends on the parameters present in context or as action parameters. If revocation_time is set, time and reason_code must match. If no time but reason_code is set, then only the reson_code must match. If neither one is set, the request is always accepted. In case the reason_code is keyCompromise and the invalidity_time is set, it must also match as long as you do not set enforce to none.
If you do not set revocation_time/reason_code but want to stop if revocation data is present, you can enforce the same check level by explicitly setting all or reason_code. In this case the checks are done against the default values.