| Author |
Message |
Yannick Béot
Guest
|
 Posted:
Wed Feb 02, 2005 4:57 pm Post subject:
How to revoke the root CA certificate ? |
|
|
Hi,
I have a standalone certificate authority on Windows Server 2003, and I
wonder how I can revoke the CA certificate, in the case of a
compromission, cessation of activity,...
Since it does not appear in the list of issued certificates, I don't
know where to right-click to revoke the CA certificate.
For the moment it's only to know the procedure, in case of...
Thanks in advance
Yannick Beot |
|
| Back to top |
|
 |
Brian Komar
Guest
|
| Posted:
Wed Feb 02, 2005 7:15 pm Post subject:
Re: How to revoke the root CA certificate ? |
|
|
In article <4200b203$0$24722$626a14ce@news.free.fr>,
yannick.beot@NOSPAM.free.fr says...
| Quote: | Hi,
I have a standalone certificate authority on Windows Server 2003, and I
wonder how I can revoke the CA certificate, in the case of a
compromission, cessation of activity,...
Since it does not appear in the list of issued certificates, I don't
know where to right-click to revoke the CA certificate.
For the moment it's only to know the procedure, in case of...
Thanks in advance
Yannick Beot
To revoke a root, you must remove the certificate from all computer's |
trusted root stores and redeploy your PKI. It is kind of a chicken and
the egg issue.
If you are revoking the root CA certificate, you want it to go on the
CRL. But what certificate is used to sign the CRL... the certificate
that you are revoking, making the CRL invalid.
Hence the importance of using good physical and logical security to
protect the root CA.
Brian |
|
| Back to top |
|
|
Yannick Béot
Guest
|
| Posted:
Wed Feb 02, 2005 8:24 pm Post subject:
Re: How to revoke the root CA certificate ? |
|
|
Brian Komar wrote:
| Quote: | In article <4200b203$0$24722$626a14ce@news.free.fr>,
yannick.beot@NOSPAM.free.fr says...
Hi,
I have a standalone certificate authority on Windows Server 2003, and I
wonder how I can revoke the CA certificate, in the case of a
compromission, cessation of activity,...
Since it does not appear in the list of issued certificates, I don't
know where to right-click to revoke the CA certificate.
For the moment it's only to know the procedure, in case of...
Thanks in advance
Yannick Beot
To revoke a root, you must remove the certificate from all computer's
trusted root stores and redeploy your PKI. It is kind of a chicken and
the egg issue.
If you are revoking the root CA certificate, you want it to go on the
CRL. But what certificate is used to sign the CRL... the certificate
that you are revoking, making the CRL invalid.
Hence the importance of using good physical and logical security to
protect the root CA.
Brian
Sure, I don't discuss about the necessity of security around the |
certificate authorities
But this procedure has to be somehow allowed
I could revoke the CA certificate by using the certutil -revoke command
and by providing the serial number of the root CA certificate.
Unfortunately I could not issue a new CRL containing the CA certificate
and all the certificates issued by the CA (magically, without asking
anything, it revoked all the certificate, which is the correct behavior
in this case)
As the CRL is signed by the CA, only the CA can issue (on purpose) a CRL
with its certificate in it
It has to be possible. How? I don't know...
Yannick Beot |
|
| Back to top |
|
|
Steve Clark [MSFT]
Guest
|
| Posted:
Thu Feb 03, 2005 2:34 am Post subject:
Re: How to revoke the root CA certificate ? |
|
|
Well, you mentioned compromised, which is why Brian said what he did
regarding root CA physical security.
To make a long story short, are you asking about this theoretically, or are
you trying to solve a problem you are seeing in production? IF this were
say, a migration, then you would typically stand up the new root, and cross
certify (or stand it up in parallel if necessary) and then just revoke old
certs and decom the old root CA when the time comes. If you're after
"instant" action if something happens to the root CA, guess what? Nobody
will have an answer for you. It doesn't matter who the vendor is, the Root
CA protections are about risk avoidance/mitigation, not incident response.
This is why HSM's are popular.. :)
"Yannick Béot" <yannick.beot@NOSPAM.free.fr> wrote in message
news:4200e286$0$24725$626a14ce@news.free.fr...
| Quote: | Brian Komar wrote:
In article <4200b203$0$24722$626a14ce@news.free.fr>,
yannick.beot@NOSPAM.free.fr says...
Hi,
I have a standalone certificate authority on Windows Server 2003, and I
wonder how I can revoke the CA certificate, in the case of a
compromission, cessation of activity,...
Since it does not appear in the list of issued certificates, I don't know
where to right-click to revoke the CA certificate.
For the moment it's only to know the procedure, in case of...
Thanks in advance
Yannick Beot
To revoke a root, you must remove the certificate from all computer's
trusted root stores and redeploy your PKI. It is kind of a chicken and
the egg issue.
If you are revoking the root CA certificate, you want it to go on the
CRL. But what certificate is used to sign the CRL... the certificate that
you are revoking, making the CRL invalid.
Hence the importance of using good physical and logical security to
protect the root CA.
Brian
Sure, I don't discuss about the necessity of security around the
certificate authorities
But this procedure has to be somehow allowed
I could revoke the CA certificate by using the certutil -revoke command
and by providing the serial number of the root CA certificate.
Unfortunately I could not issue a new CRL containing the CA certificate
and all the certificates issued by the CA (magically, without asking
anything, it revoked all the certificate, which is the correct behavior in
this case)
As the CRL is signed by the CA, only the CA can issue (on purpose) a CRL
with its certificate in it
It has to be possible. How? I don't know...
Yannick Beot |
|
|
| Back to top |
|
|
Mark Gamache
Guest
|
| Posted:
Thu Feb 03, 2005 6:48 am Post subject:
Re: How to revoke the root CA certificate ? |
|
|
This is why protecting the root CA's priv key is so vital. You should not
have issued any certs for use from the root, so first revoke all certs for
intermediate CAs. Another option would be to remove your CRLs from all of
the CDPs. Any application that tried to validate the cert chain would take
issue with that.
You might also use a GPO to add the root CA cert to the untrusted store on
each computer.
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Yannick Béot" <yannick.beot@NOSPAM.free.fr> wrote in message
news:4200e286$0$24725$626a14ce@news.free.fr...
| Quote: | Brian Komar wrote:
In article <4200b203$0$24722$626a14ce@news.free.fr>,
yannick.beot@NOSPAM.free.fr says...
Hi,
I have a standalone certificate authority on Windows Server 2003, and I
wonder how I can revoke the CA certificate, in the case of a
compromission, cessation of activity,...
Since it does not appear in the list of issued certificates, I don't know
where to right-click to revoke the CA certificate.
For the moment it's only to know the procedure, in case of...
Thanks in advance
Yannick Beot
To revoke a root, you must remove the certificate from all computer's
trusted root stores and redeploy your PKI. It is kind of a chicken and
the egg issue.
If you are revoking the root CA certificate, you want it to go on the
CRL. But what certificate is used to sign the CRL... the certificate that
you are revoking, making the CRL invalid.
Hence the importance of using good physical and logical security to
protect the root CA.
Brian
Sure, I don't discuss about the necessity of security around the
certificate authorities
But this procedure has to be somehow allowed
I could revoke the CA certificate by using the certutil -revoke command
and by providing the serial number of the root CA certificate.
Unfortunately I could not issue a new CRL containing the CA certificate
and all the certificates issued by the CA (magically, without asking
anything, it revoked all the certificate, which is the correct behavior in
this case)
As the CRL is signed by the CA, only the CA can issue (on purpose) a CRL
with its certificate in it
It has to be possible. How? I don't know...
Yannick Beot |
|
|
| Back to top |
|
|
Martin
Guest
|
| Posted:
Thu Feb 03, 2005 2:24 pm Post subject:
Re: How to revoke the root CA certificate ? |
|
|
| Quote: |
You might also use a GPO to add the root CA cert to the untrusted store on
each computer.
|
could you give some details on how to do this ?
regards,
Martin |
|
| Back to top |
|
|
Paul Adare
Guest
|
| Posted:
Thu Feb 03, 2005 6:54 pm Post subject:
Re: How to revoke the root CA certificate ? |
|
|
In article <4200e286$0$24725$626a14ce@news.free.fr>, in the
microsoft.public.windows.server.security news group, Yannick Béot
<yannick.beot@NOSPAM.free.fr> says...
| Quote: | I could revoke the CA certificate by using the certutil -revoke command
and by providing the serial number of the root CA certificate.
Unfortunately I could not issue a new CRL containing the CA certificate
and all the certificates issued by the CA (magically, without asking
anything, it revoked all the certificate, which is the correct behavior
in this case)
|
As others have pointed out, there is no reason to revoke a root CA
certificate. As a matter of fact, any application that is RFC3280
compliant will never even check the revocation status of a root CA cert.
--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871) |
|
| Back to top |
|
|
Mark Gamache
Guest
|
| Posted:
Thu Feb 03, 2005 10:56 pm Post subject:
Re: How to revoke the root CA certificate ? |
|
|
This is why protecting the root CA's priv key is so vital. You should not
have issued any certs for use from the root, so first revoke all certs for
intermediate CAs. Another option would be to remove your CRLs from all of
the CDPs. Any application that tried to validate the cert chain would take
issue with that.
You might also use a GPO to add the root CA cert to the untrusted store on
each computer.
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Yannick Béot" <yannick.beot@NOSPAM.free.fr> wrote in message
news:4200b203$0$24722$626a14ce@news.free.fr...
| Quote: | Hi,
I have a standalone certificate authority on Windows Server 2003, and I
wonder how I can revoke the CA certificate, in the case of a
compromission, cessation of activity,...
Since it does not appear in the list of issued certificates, I don't know
where to right-click to revoke the CA certificate.
For the moment it's only to know the procedure, in case of...
Thanks in advance
Yannick Beot |
|
|
| Back to top |
|
|
Yannick Béot
Guest
|
| Posted:
Fri Feb 04, 2005 8:39 pm Post subject:
Re: How to revoke the root CA certificate ? |
|
|
Hi,
I took some time to think about what you said
Since, It does not make sense to publish a CRL with the certificate that
signed the CRL in it, I won't try to revoke the root CA
To sum up, i'll revoke all the certificate issued by root CA but also
the subordinate CA, starting by revoking the end-user certificates and
publish a last CRL
I'll push by a GPO the certificates in untrusted CA (I have to look for
how doing this)
Thanks for all your answers
Yannick
Mark Gamache wrote:
| Quote: | This is why protecting the root CA's priv key is so vital. You should not
have issued any certs for use from the root, so first revoke all certs for
intermediate CAs. Another option would be to remove your CRLs from all of
the CDPs. Any application that tried to validate the cert chain would take
issue with that.
You might also use a GPO to add the root CA cert to the untrusted store on
each computer.
|
|
|
| Back to top |
|
|
Brian Komar
Guest
|
| Posted:
Fri Feb 04, 2005 10:10 pm Post subject:
Re: How to revoke the root CA certificate ? |
|
|
In article <4203893a$0$21390$636a15ce@news.free.fr>,
yannick.beot@NOSPAM.free.fr says...
| Quote: | Hi,
I took some time to think about what you said
Since, It does not make sense to publish a CRL with the certificate that
signed the CRL in it, I won't try to revoke the root CA
To sum up, i'll revoke all the certificate issued by root CA but also
the subordinate CA, starting by revoking the end-user certificates and
publish a last CRL
I'll push by a GPO the certificates in untrusted CA (I have to look for
how doing this)
Thanks for all your answers
Yannick
snip |
To be honest, all that you have to do is revoke the subordinate CA
certificate and publish the former root CA as an untrusted CA. If an
application performs CRL checking, if the issuing CA's certificate is
revoked, all certs issued by that CA are considered revoked.
HTH,
Brian |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in