We had our enterprise admin create a Enterprise Subordinate CA for our Organization. The intend was to start issuing certificates at some point for web servers and services.
It appears that this has inadvertently caused our smart card logins to intermittently not work. We don't want this to have anything to do with smart card service. It's been a few weeks since the CA was created and nothing had been done with it. Today we took a look and the Subordinate CA has issued all these certificates to DCs and PCs around the enterprise. There must be some automated process that is causing this.
As you can tell, I'm not up on how the process works.
Also, looking at the smart card software log, it appears that the CRL location that is listed in the certs is not accessible (LDAP).
Anyway, to rule out this as a possible issue for the intermittent smart card login issues, we would like to just turn the service off and not use it. Using the CA snap-in, there is a stop service option when the Subordinate CA is right clicked. But, it seems that the subordinate CA that was recently created should be revoked first. So is this procedure a good way to do it:
1. Have the Enterprise Admin Revoke the Subordinate CA that was recently created.
2. Have the Ent Admin publish the CRL so the revocation list gets out there right away.
3. Then go the the DC that has the subordinate CA running and choose "Stop Service"
4. What happens when a client that had a Cert issued by the subordinate CA tries to contact the subordinate that is now turned off. Will it follow the chain on up an see that the Subordinate CA was revoked and not use it?
5. How do we clear the certs on the DCs and PCs that now have certs from the defunct subordinate CA. Will this take care of itself when the clients see that the subordinate CA has been revoked.
Thanks for any help.