Re: How to revoke the root CA certificate ?
From: Mark Gamache (mark.gamache_at_css-security.com)
Date: 02/03/05
- Next message: Mark Gamache: "Re: Reset password on 'krbtgt' account?"
- Previous message: RJ: "Enterprise Root CA change"
- In reply to: Yannick Béot: "Re: How to revoke the root CA certificate ?"
- Next in thread: Martin: "Re: How to revoke the root CA certificate ?"
- Reply: Martin: "Re: How to revoke the root CA certificate ?"
- Reply: Yannick Béot: "Re: How to revoke the root CA certificate ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 2 Feb 2005 17:28:42 -0800
This is why protecting the root CA's priv key is so vital. You should not
have issued any certs for use from the root, so first revoke all certs for
intermediate CAs. Another option would be to remove your CRLs from all of
the CDPs. Any application that tried to validate the cert chain would take
issue with that.
You might also use a GPO to add the root CA cert to the untrusted store on
each computer.
-- Mark Gamache Certified Security Solutions http://www.css-security.com "Yannick Béot" <yannick.beot@NOSPAM.free.fr> wrote in message news:4200e286$0$24725$626a14ce@news.free.fr... > Brian Komar wrote: >> In article <4200b203$0$24722$626a14ce@news.free.fr>, >> yannick.beot@NOSPAM.free.fr says... >> >>>Hi, >>> >>>I have a standalone certificate authority on Windows Server 2003, and I >>>wonder how I can revoke the CA certificate, in the case of a >>>compromission, cessation of activity,... >>> >>>Since it does not appear in the list of issued certificates, I don't know >>>where to right-click to revoke the CA certificate. >>> >>>For the moment it's only to know the procedure, in case of... >>> >>>Thanks in advance >>> >>> >>>Yannick Beot >>> >> >> To revoke a root, you must remove the certificate from all computer's >> trusted root stores and redeploy your PKI. It is kind of a chicken and >> the egg issue. >> >> If you are revoking the root CA certificate, you want it to go on the >> CRL. But what certificate is used to sign the CRL... the certificate that >> you are revoking, making the CRL invalid. >> >> Hence the importance of using good physical and logical security to >> protect the root CA. >> >> Brian > Sure, I don't discuss about the necessity of security around the > certificate authorities > But this procedure has to be somehow allowed > > I could revoke the CA certificate by using the certutil -revoke command > and by providing the serial number of the root CA certificate. > Unfortunately I could not issue a new CRL containing the CA certificate > and all the certificates issued by the CA (magically, without asking > anything, it revoked all the certificate, which is the correct behavior in > this case) > > As the CRL is signed by the CA, only the CA can issue (on purpose) a CRL > with its certificate in it > > It has to be possible. How? I don't know... > > Yannick Beot
- Next message: Mark Gamache: "Re: Reset password on 'krbtgt' account?"
- Previous message: RJ: "Enterprise Root CA change"
- In reply to: Yannick Béot: "Re: How to revoke the root CA certificate ?"
- Next in thread: Martin: "Re: How to revoke the root CA certificate ?"
- Reply: Martin: "Re: How to revoke the root CA certificate ?"
- Reply: Yannick Béot: "Re: How to revoke the root CA certificate ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
