How to unrevoke Certificate with reason <> "Certificate Hold"

ViktorZacek
ViktorZacek used Ask the Experts™
on
Greetings!

Today directly after lunch I was in the mood to clean some things up... one point on that list was "certificates".
I am relative new to using a Certificate infrastructure to get a VPN running... and since I was sure, I only have one certificate active, I revoked the other ones.

Some hours later I get a call from one of my bosses... VPN isn't working.

Oooops... obviously I created the certificates for them. When I revoked them the reason I set was not "Certificate Hold", so I can't unrevoke that. Since it is installed on that (out-of-house) laptop it would be quite complicated to reinstall a new certificate on that laptop.

Is there any other way to unrevoke a certificate?


Best regards,
Viktor Zacek
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Hi,
Even if the reason was certificate hold, you can unrevoke the certificate from the Revoked Certificates sections, right click, All tasks, unrevoke.
just tried it and it works.
thanks,

Author

Commented:
Yes, but any other status than "Certificate Hold" does not work.

Currently the reason for revokation is "Unspecified". Changing from "Unspecified" to any other status 0-5 (see link [1]) is possible, but not for status 6.

Unrevoking is only possible for status 6.



[1] http://technet.microsoft.com/en-us/library/cc739815%28WS.10%29.aspx
Cryptographic Engineer
Commented:
Yes.  You are correct - there is only one method that can be unrevoked.  You had to declare it initially.

Your two options are to either issue a new cert or restore a copy of the CA database prior to the revocation and issue a new CRL (make sure to note what else has been revoked in the meantime and fix).

If it is just a web server style cert to use on your VPN server, it would probably just be easiest to issue a new cert.  This is just used for validation and key exchange for setting up the SSL session, not for storing encrypted files where there would be a need to decrypt.  If it were a data encryption cert, some kinds will not check the revocation list (e.g. EFS).

Author

Commented:
Too bad... but I learned to double-check certificates I want to revoke... ;-)

Best regards,
Viktor

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial