Revoked Issuing CA Certificate still showing as valid

Advertisement

Revoked Issuing CA Certificate still showing as valid
Hi There.
I have an Intermediate CA (Enterprise) and an Offline root CA, both running Windows CA.
The Intermediate CA's first cert was revoked and the Root CA's CRL with the revoked cert published.
A new cert was issued to the Intermediate CA, so now I can see both:
I have cleared the CRL cache with the command:
certutil -setreg chain\ChainCacheResyncFiletime @now
on my workstation and did a check on the certificate #0. It still shows as valid.
I have checked the serial number and made sure that the serial is in the root ca's revocation list.
What am I missing?
Thank you.
Repaly
Hi,
We cannot revoke root certificates since root certificates are excluded from revocation checking.
As far as I know, we should leave the former CA certificate there, since former CRL requires the old certificate for signing; even after the former CA certificate expire, it can be used for digital signature verification.
Here are some similar threads below for you:
Can you revoke a root certificate
https://social.technet.microsoft.com/Forums/windowsserver/en-US/3941e831-b477-4998-8145-445c56783436/can-you-revoke-a-root-certificate?forum=winserversecurity
How to remove an expired certificate from a RootCA
https://social.technet.microsoft.com/Forums/windowsserver/en-US/48958ec4-330e-43df-9ecf-6d23a6c05b7b/how-to-remove-an-expired-certificate-from-a-rootca?forum=winserversecurity
Clean up multiple Root Certificates from a CA
https://social.technet.microsoft.com/forums/windowsserver/en-US/c5c29079-fe41-44aa-a4ff-f8ba976a8018/clean-up-multiple-root-certificates-from-a-ca
Cleanup of Issuing CA Certificates
https://social.technet.microsoft.com/Forums/windowsserver/en-US/0b8eea11-3a9b-49e6-abe9-b09de203231a/cleanup-of-issuing-ca-certificates?forum=winserversecurity
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Read More: The other 2 answers