Menu
Suppose a PKI hierarchy like below.
root CA ==> inter-1 CA ==> user-1
\
\======> inter-2 CA ==> user-2
My question is: does root CA also need to periodically download CRL from its children: inter-1 and inter-2?
Since user-1 and user-2 can authenticate each other, if user-2's certificate is revoked by inter-2, inter-2 should let root know and then propagate to inter-1 and user-1, right?
If so, it seems quite complicated. Is there any tool to use for managing the revocation logic? Thanks a lot.
379
According to CA/B Forum rules, these intermediate CA certificates should be revoked within 7 days. However, because revoking the intermediate CA also invalidates all certificates that have been issued by that CA, the impact is exponential.
It is a type of blocklist that includes certificates that should no longer be trusted and is used by various endpoints, including web browsers, to verify if a certificate is valid and trustworthy. The CRL file is signed by the CA to prevent tampering.
A certificate is irreversibly revoked if, for example, it is discovered that the certificate authority (CA) had improperly issued a certificate, or if a private-key is thought to have been compromised.
An intermediate certificate works as a substitute of a root certificate because root certificate has its own security layers assuring that its keys remain unobtainable. Intermediate certificate plays a “Chain of Trust” between an end entity certificate and a root certificate.
Go to Tools->Internet Options->Content tab 2. Click on Certificates and go to the Intermediate Certification Authorities tab 3. Remove any of the following certs that are found.
If no CRL is available, it is expired or doesn't contain the host serial number then NO error message is displayed. That is the specific behavior of IE.
No, revocation of certificate is not propagated across the CA tree. Each CA (root and intermediate in your case) is responsible of the publication of the CRL containing the list of only the revoked certificates that were issued by this CA.
An example:
Root CA publishes a CRL for the certificates issued by Root CA: inter-1 CA and inter-2 CA. Root CA is not aware of the user-1 and user-2 certificates or their revocation status.
inter-1 CA (resp inter-2 CA) publishes a CRL containing the list of revoked certificates issued by inter-1 CA (resp inter-2 CA) and only these certificates.
CRL Root CA CRL inter-1 CA
^ ^
| |
root CA ==> inter-1 CA ==> user-1
|
| CRL inter-2 CA
| ^
\ |
\======> inter-2 CA ==> user-2
if user-1 certificate is revoked, this certificate (actually its serial number) will only appear in the CRL published by inter-1 CA.
When someone wants to check the validity the user-1 certificate the process is as follows:
Note that validating the CRL signature can trigger a validation of another certificate chain : i.e. this algorithm can be recursive. Actually the X.509 certificate validation algorithm is (very) complex and I just summarize the principles here.
189
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
