How is revocation of a root certificate handled?

Question

There are several reasons to revoke a certificate, the most popular one being compromise of the private key.

My question is:
What happens if there is a need to revoke the certificate of a certificate authority?

Does this mean that all the certificates it has signed should be considered revoked?
This seems reasonable, since the CA will be issued a new certificate hence a new key-pair.

On the other hand, what would be the process to revoke and reissue possibly hundreds of certificates the specific CA has already issued so far?

I am confused on the consequences of revoking a CA certificate.
Could someone please elaborate on this?

Answer 1

You can't revoke a trusted (e.g. Root CA) certificate, because it is self-signed by the CA and therefore there is no trusted mechanism by which to verify a CRL. If a root CA is compromised it is very bad :-). You have to manually remove the CA from your store (or this can happen by browser or OS updates if those root certs were part of those distributions).

Revoking a CA whose certificate was issued by one of the root CAs means that all the certificates that CA has issued are no longer valid. This happens during path processing, we start at the certificate we are trying to verify and then build a path all the way to a trusted root. Each certificate in that path should have their various path constraints checked, and a CRL (or other mechanism) should be used to determine whether they have been revoked. If any certificate fails then the whole path is considered invalid.

So the short answer is, yes. If the CA certificate is revoked, all certificates it issued (and so on down the path) should be considered invalid.