Revoke Subordinate CA -2008 R2

We had our enterprise admin create a Enterprise Subordinate CA for our Organization.   The intend was to start issuing certificates at some point for web servers and services.

It appears that this has inadvertently caused our smart card logins to intermittently not work.  We don't want this to have anything to do with smart card service.  It's been a few weeks since the CA was created and nothing had been done with it.  Today we took a look and the Subordinate CA has issued all these certificates to DCs and PCs around the enterprise. There must be some automated process that is causing this.

As you can tell, I'm not up on how the process works.

Also, looking at the smart card software log, it appears that the CRL location that is listed in the certs is not accessible (LDAP).

Anyway, to rule out this as a possible issue for the intermittent  smart card login issues, we would like to just turn the service off and not use it.  Using the CA snap-in, there is a stop service option when the Subordinate CA is right clicked.  But, it seems that the subordinate CA that was recently created should be revoked first.  So is this procedure a good way to do it:

1. Have the Enterprise Admin Revoke the Subordinate CA that was  recently created.
2. Have the Ent Admin publish the CRL so the revocation list gets out there right away.
3. Then go the the DC that has the subordinate CA running and choose "Stop Service"
4. What happens when a client that had a Cert issued by the subordinate CA tries to contact the subordinate that is now turned off.  Will it follow the chain on up an see that the Subordinate CA was revoked and not use it?
5. How do we clear the certs on the DCs and PCs that now have certs from the defunct subordinate CA.  Will this take care of itself when the clients see that the subordinate CA has been revoked.

Thanks for any help.
credogAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
I do not believe the revoke is a good idea since it might not work until the CRL corrected.
You need to check the GPO that deals with auto-enrollment and re target it to the CA you prefer and or correct the CRL.
http://technet.microsoft.com/en-us/library/ee649260(v=ws.10).aspx
A revoke of subordinate certificate will invalidate all issued certificates by it, could lead to more trouble. Not sure whether such revocation will cause the systems/users/device to auto-enroll.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.