Geek Answers Handbook

How is root certificate revocation reversed?

There are several reasons to revoke a certificate, the most popular of which is the compromise of the private key.

My question is:
What happens if you need to revoke a certificate from a certification authority?

Does this mean that all signed certificates should be considered revoked?
This seems reasonable since a new certificate will be issued by the CA, hence a new key pair.

On the other hand, what would be the process of canceling and reissuing, perhaps hundreds of certificates that a particular CA has already issued?

I am confused about the consequences of revoking a CA certificate.
Can anyone comment on this?

+8
security certificate ssl cryptography
source share
3 answers

You cannot revoke a trusted certificate (for example, Root CA) because it has signed the CA itself, and therefore there is no reliable CRL check mechanism. If the root CA is compromised, this is very bad :-). You must manually remove the CA from your store (or this can happen when updating the browser or OS, if these root certificates were part of these distributions).

Revoking a CA whose certificate was issued by one of the root certification authorities means that all certificates issued by the CA are no longer valid. This happens during the processing of the path, we start with the certificate that we are trying to verify, and then create the path to the trusted root. Each certificate on this path should check its various path constraints, and use a CRL (or other mechanism) to determine if they have been revoked. If any certificate fails, the entire path is considered invalid.

So the short answer is yes. If the CA certificate is revoked, all certificates issued by it (and so on along the way) are considered invalid.

+8
source share

Revoking a certificate means the following: "although the contents of this certificate look good, the certificate should not be used." This is a way to "cancel" the cryptographic signature in the certificate.

Before using the certificate (i.e., using the public key contained in the certificate, for example, as part of an SSL connection), the certificate must be verified, which means that the signature in the certificate must be verified against the public key contained in the CA certificate. This implies the use of a CA certificate, so the signature on this certificate must also be verified, and so on, right down to the "root CA", also known as the "trust anchor", which is supposed to be always verified (it is hardcoded to which software checks).

If the CA certificate is revoked, it cannot be used (what is the certificate revocation point: so that it is no longer used). In particular, certificate verification can no longer use this CA certificate. The certificates issued by this CA are not revoked: they may be verified by another CA certificate that contains the same key: the CA certificate is similar to any other certificate, it associates the name with the public key; nothing prevents the existence of several separate certificates that claim to be binding, and this is normal in the case of the "CA bridge" (mainly used so that some certificates can be verified against multiple trusted bindings). Of course, if the CA certificate is revoked because the CA private key has been stolen, then a reasonable course of action is to revoke all the certificates issued to this CA, and the certificates issued by this CA can no longer be verified by anyone.

So, to summarize, revoking a CA certificate does not cancel all the certificates issued by that CA, but it does not allow you to verify these certificates through this CA.

+5
source share

Not. If the CA certificate is revoked, then the issued certificates are no longer considered β€œsigned”.

0
source share

More articles:


All Articles