Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How is revocation of a root certificate handled?

There are several reasons to revoke a certificate, the most popular one being compromise of the private key.

My question is:
What happens if there is a need to revoke the certificate of a certificate authority?

Does this mean that all the certificates it has signed should be considered revoked?
This seems reasonable, since the CA will be issued a new certificate hence a new key-pair.

On the other hand, what would be the process to revoke and reissue possibly hundreds of certificates the specific CA has already issued so far?

I am confused on the consequences of revoking a CA certificate.
Could someone please elaborate on this?

like image 526
Cratylus Avatar asked May 08 '11 21:05

Cratylus


People also ask

Can root certificate be revoked?

You can't revoke a trusted (e.g. Root CA) certificate, because it is self-signed by the CA and therefore there is no trusted mechanism by which to verify a CRL. If a root CA is compromised it is very bad :-).

What happens when a certificate is revoked?

When they revoke a certificate (a process that's sometimes known as PKI certificate revocation), they essentially invalidate the cert ahead of its expiration date.

How do I recover a revoked certificate?

An application for revocation or suspension of certificates for electronic seal can be submitted and signed by Authorized Representative or Legal Representative, independently. CERTIFICATE REACTIVATION is an action of reactivating the suspended certificate after the termination of the reason for suspension.

Who is responsible for maintaining the certificate revocation list?

The CA specifies the lifetime validity of the CRL. The CA is responsible for maintaining this information.


1 Answers

You can't revoke a trusted (e.g. Root CA) certificate, because it is self-signed by the CA and therefore there is no trusted mechanism by which to verify a CRL. If a root CA is compromised it is very bad :-). You have to manually remove the CA from your store (or this can happen by browser or OS updates if those root certs were part of those distributions).

Revoking a CA whose certificate was issued by one of the root CAs means that all the certificates that CA has issued are no longer valid. This happens during path processing, we start at the certificate we are trying to verify and then build a path all the way to a trusted root. Each certificate in that path should have their various path constraints checked, and a CRL (or other mechanism) should be used to determine whether they have been revoked. If any certificate fails then the whole path is considered invalid.

So the short answer is, yes. If the CA certificate is revoked, all certificates it issued (and so on down the path) should be considered invalid.

like image 116
Dean Povey Avatar answered Sep 21 '22 05:09

Dean Povey