• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 579
  • Last Modified:

Revoke Subordinate CA -2008 R2

We had our enterprise admin create a Enterprise Subordinate CA for our Organization.   The intend was to start issuing certificates at some point for web servers and services.

It appears that this has inadvertently caused our smart card logins to intermittently not work.  We don't want this to have anything to do with smart card service.  It's been a few weeks since the CA was created and nothing had been done with it.  Today we took a look and the Subordinate CA has issued all these certificates to DCs and PCs around the enterprise. There must be some automated process that is causing this.

As you can tell, I'm not up on how the process works.

Also, looking at the smart card software log, it appears that the CRL location that is listed in the certs is not accessible (LDAP).

Anyway, to rule out this as a possible issue for the intermittent  smart card login issues, we would like to just turn the service off and not use it.  Using the CA snap-in, there is a stop service option when the Subordinate CA is right clicked.  But, it seems that the subordinate CA that was recently created should be revoked first.  So is this procedure a good way to do it:

1. Have the Enterprise Admin Revoke the Subordinate CA that was  recently created.
2. Have the Ent Admin publish the CRL so the revocation list gets out there right away.
3. Then go the the DC that has the subordinate CA running and choose "Stop Service"
4. What happens when a client that had a Cert issued by the subordinate CA tries to contact the subordinate that is now turned off.  Will it follow the chain on up an see that the Subordinate CA was revoked and not use it?
5. How do we clear the certs on the DCs and PCs that now have certs from the defunct subordinate CA.  Will this take care of itself when the clients see that the subordinate CA has been revoked.

Thanks for any help.
1 Solution
I do not believe the revoke is a good idea since it might not work until the CRL corrected.
You need to check the GPO that deals with auto-enrollment and re target it to the CA you prefer and or correct the CRL.
A revoke of subordinate certificate will invalidate all issued certificates by it, could lead to more trouble. Not sure whether such revocation will cause the systems/users/device to auto-enroll.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now