What impact does the revocation of a certification authority certificate have on the certification authority?

Author Uwe GradeneggerPosted on Categories Troubleshooting, Certificate usage, Certification Authority

The following describes the impact on Certification Authority operations when one of the Certification Authority certificates of a Certification Authority is revoked.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Possible scenarios

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Case 1: The revocation concerns the certification authority certificate currently in use

The certification authority always uses the most current, i.e. most recently installed, certification authority certificate for issuing its certificates. If this certificate is revoked, the certification authority refuses to start the service and a new application for the certification authority certificate is required immediately. More information can be found in the article "The certification authority service does not start and throws the error message "The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)".„.

The Certification Authority will use the Event no. 100 log:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  ADCS Labor Issuing CA 3 The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED).

Case 2: The revocation concerns one of the previous certification authority certificates

If one of the previous certification authority certificates is revoked, the certification authority service starts normally. The revocation of a previous certification authority certificate is part of the normal operation of a certification authority, accordingly the certification authority must be able to handle such a case without any problems.

The Certification Authority will use the Event no. 51 log:

A certificate in the chain for CA certificate 0 for ADCS Labor Issuing CA 3 has been revoked.  The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED).

The certification authority will also no longer issue revocation lists for revoked certification authority certificates. If multiple certification authority certificates use the same key (e.g. due to renewal of the certification authority certificate with the same key), a revocation list is no longer issued for any of these certificatesbecause the revocation list is generated for each key.

The certification authority also tries to delete the invalid certificate from the Authority Information Access (AIA) object in Active Directory. It lacks the rights to do this, a corresponding error message is logged.

Related links:

en_USEnglish
de_DEDeutsch en_USEnglish