The following describes the impact on Certification Authority operations when one of the Certification Authority certificates of a Certification Authority is revoked.
This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.
Case 1: The revocation concerns the certification authority certificate currently in use
The certification authority always uses the most current, i.e. most recently installed, certification authority certificate for issuing its certificates. If this certificate is revoked, the certification authority refuses to start the service and a new application for the certification authority certificate is required immediately. More information can be found in the article "The certification authority service does not start and throws the error message "The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)".„.
The Certification Authority will use the Event no. 100 log:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. ADCS Labor Issuing CA 3 The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED).
Case 2: The revocation concerns one of the previous certification authority certificates
If one of the previous certification authority certificates is revoked, the certification authority service starts normally. The revocation of a previous certification authority certificate is part of the normal operation of a certification authority, accordingly the certification authority must be able to handle such a case without any problems.
The Certification Authority will use the Event no. 51 log:
A certificate in the chain for CA certificate 0 for ADCS Labor Issuing CA 3 has been revoked. The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED).
The certification authority will also no longer issue revocation lists for revoked certification authority certificates. If multiple certification authority certificates use the same key (e.g. due to renewal of the certification authority certificate with the same key), a revocation list is no longer issued for any of these certificatesbecause the revocation list is generated for each key.
The certification authority also tries to delete the invalid certificate from the Authority Information Access (AIA) object in Active Directory. It lacks the rights to do this, a corresponding error message is logged.
Related links:
- If a certification authority certificate has been revoked, a revocation list is no longer issued for the certification authority certificate
- The certification authority service does not start and throws the error message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)"
- The certificate authority service does not start and throws the error message "A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)".
- The certificate authority service does not start and throws the error message "The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)".
- The certificate authority service does not start and throws the error message "0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)".
- What impact does a non-functioning revocation list of a certification authority certificate have on the certification authority?
- What impact does the revocation of the trust status of a root certification authority certificate have on the certification authority
English 
Deutsch
6 thoughts on “Welchen Einfluss hat der Widerruf eines Zertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?”
Comments are closed.