If you revoke a certificate authority's certificate, do all of the certificates it issued become invalid as well?What happens when an Intermediate CA is revoked?Can a certificate have multiple chains and multiple self-signed roots?How are public key certificates updated securely?What's the mitigation strategy for when a CA's private key is stolen?SSL root certificate optional?How are “Certificate Signing” key usage certificates restricted to what domains they can sign?Validating an SSL certificate chain according to RFC 5280: Am I understanding this correctly?Can a RootCA be revoked?How to identify which root CA does the client certificate use?Why is it more secure to use intermediate CA certificates?

Get injured / Get increased

Can a Pokemon that I tried to capture from field research run away?

Does the US require a House vote to begin an impeachment inquiry?

Encountering former, abusive advisor at a conference

Is there any research on the development of attacks against artificial intelligence systems?

Trade a bishop in the opening

If you revoke a certificate authority's certificate, do all of the certificates it issued become invalid as well?

Charges from Dollar General have never shown up on my debit card. How can I resolve this?

How will the crew exit Starship when it lands on Mars?

Converting list into Integer

Is the tap water in France safe to drink?

Advisor asked for my entire slide presentation so she could give the presentation at an international conference

Could an American state survive nuclear war?

Did Terry Pratchett ever explain the inspiration behind the Luggage?

What's the meaning of java.util.@Nullable?

How can I communicate feelings to players without impacting their agency?

In the twin paradox does the returning twin also come back permanently length contracted flatter than the twin on earth?

Limiting sensor input voltage without biasing measurement

What fantasy book has twins (except one's blue) and a cloaked ice bear on the cover?

When to use the gestalt principle of common region?

Latest newtx package update (v1.601 Oct 2, 2019) breaks the footnote command [update: bug fixed by package author]

Can you use a virtual credit card to withdraw money from an ATM in the UK?

Why are second inversion triads considered less consonant than first inversion triads?

How to treat unhandled exceptions? (Terminate the application vs. Keep it alive)



If you revoke a certificate authority's certificate, do all of the certificates it issued become invalid as well?


What happens when an Intermediate CA is revoked?Can a certificate have multiple chains and multiple self-signed roots?How are public key certificates updated securely?What's the mitigation strategy for when a CA's private key is stolen?SSL root certificate optional?How are “Certificate Signing” key usage certificates restricted to what domains they can sign?Validating an SSL certificate chain according to RFC 5280: Am I understanding this correctly?Can a RootCA be revoked?How to identify which root CA does the client certificate use?Why is it more secure to use intermediate CA certificates?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









3

















If you revoke a certificate authority's certificate, do all of the certificates it issued become invalid as well? What about for certificates issued by an authority beneath it?



For example, if root CA A issues intermediate CA B, which issues certificate C, and:



  • CA A revokes CA B, does certificate C become invalid?

  • CA A gets revoked (somehow), does its revocation cascade all the way down the chain such that certificate C is now invalid as well?









share|improve this question

































    3

















    If you revoke a certificate authority's certificate, do all of the certificates it issued become invalid as well? What about for certificates issued by an authority beneath it?



    For example, if root CA A issues intermediate CA B, which issues certificate C, and:



    • CA A revokes CA B, does certificate C become invalid?

    • CA A gets revoked (somehow), does its revocation cascade all the way down the chain such that certificate C is now invalid as well?









    share|improve this question





























      3












      3








      3








      If you revoke a certificate authority's certificate, do all of the certificates it issued become invalid as well? What about for certificates issued by an authority beneath it?



      For example, if root CA A issues intermediate CA B, which issues certificate C, and:



      • CA A revokes CA B, does certificate C become invalid?

      • CA A gets revoked (somehow), does its revocation cascade all the way down the chain such that certificate C is now invalid as well?









      share|improve this question















      If you revoke a certificate authority's certificate, do all of the certificates it issued become invalid as well? What about for certificates issued by an authority beneath it?



      For example, if root CA A issues intermediate CA B, which issues certificate C, and:



      • CA A revokes CA B, does certificate C become invalid?

      • CA A gets revoked (somehow), does its revocation cascade all the way down the chain such that certificate C is now invalid as well?






      public-key-infrastructure x.509






      share|improve this question














      share|improve this question











      share|improve this question




      share|improve this question










      asked 8 hours ago









      Jonathan WilburJonathan Wilbur

      871 silver badge8 bronze badges




      871 silver badge8 bronze badges























          2 Answers
          2






          active

          oldest

          votes


















          5



















          CA A revokes CA B, does certificate C become invalid?




          yes, revocation cascades down to the tree. If CA certificate is revoked, all certificates below (regardless of how many levels are below CA) are implicitly considered untrusted. Keep in mind that they become *untrusted*, not revoked.




          CA A gets revoked (somehow), does its revocation cascade all the way down the chain such that certificate C is now invalid as well?




          Root CA revocation is an undefined operation. Moreover, in Microsoft certificate chaining engine's default configuration, root CA certificate is not checked for revocation at all.






          share|improve this answer




























          • +1, I would add that the reason Root CAs have undefined revocation is that in most PKI specs (for example, RFC5280), a Root CA is, by definition, a public key whose hash matches the authorityKeyIdentifier in the certificates that it issues. Often, clients that are trying to save memory will have only the root's public key, and not the entire certificate. You can revoke a certificate, but as mentioned, revoking a public key is ... undefined.

            – Mike Ounsworth
            5 hours ago



















          2


















          "It depends".



          The most secure answer is "yes, it revokes the subtree", because once the "B" certificate has been revoked there's no reason to trust any certificate it claims to have issued (or any CRL it has signed, et cetera).



          But it really depends on what inputs are given to the chain builder (which means it won't be consistent from application to application).



          • If a chain trust is built without checking revocation, it'll say everything is fine.

          • If a chain trust is built only checking the End-Entity revocation, then

            • If the CA published a final CRL revoking everything then it'll say revoked.

            • Otherwise it'll say everything is fine.


          • If the chain trust is built to check revocation everywhere except the root, it'll say revoked.

          • If the chain trust is built to check revocation for the whole chain (which is sort of redundant, since the easiest way to "revoke" the root is to take it out of the trust list), it'll say revoked.

          .NET's X509Chain class defaults to checking revocation for everything except the root. Win32 CertGetCertificateChain defaults to no revocation (the revocation type has to be specified via the dwFlags parameter). Other libraries may have different defaults, and applications can configure them in a variety of ways.






          share|improve this answer



























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "162"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );














            draft saved

            draft discarded
















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219353%2fif-you-revoke-a-certificate-authoritys-certificate-do-all-of-the-certificates%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown


























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            5



















            CA A revokes CA B, does certificate C become invalid?




            yes, revocation cascades down to the tree. If CA certificate is revoked, all certificates below (regardless of how many levels are below CA) are implicitly considered untrusted. Keep in mind that they become *untrusted*, not revoked.




            CA A gets revoked (somehow), does its revocation cascade all the way down the chain such that certificate C is now invalid as well?




            Root CA revocation is an undefined operation. Moreover, in Microsoft certificate chaining engine's default configuration, root CA certificate is not checked for revocation at all.






            share|improve this answer




























            • +1, I would add that the reason Root CAs have undefined revocation is that in most PKI specs (for example, RFC5280), a Root CA is, by definition, a public key whose hash matches the authorityKeyIdentifier in the certificates that it issues. Often, clients that are trying to save memory will have only the root's public key, and not the entire certificate. You can revoke a certificate, but as mentioned, revoking a public key is ... undefined.

              – Mike Ounsworth
              5 hours ago
















            5



















            CA A revokes CA B, does certificate C become invalid?




            yes, revocation cascades down to the tree. If CA certificate is revoked, all certificates below (regardless of how many levels are below CA) are implicitly considered untrusted. Keep in mind that they become *untrusted*, not revoked.




            CA A gets revoked (somehow), does its revocation cascade all the way down the chain such that certificate C is now invalid as well?




            Root CA revocation is an undefined operation. Moreover, in Microsoft certificate chaining engine's default configuration, root CA certificate is not checked for revocation at all.






            share|improve this answer




























            • +1, I would add that the reason Root CAs have undefined revocation is that in most PKI specs (for example, RFC5280), a Root CA is, by definition, a public key whose hash matches the authorityKeyIdentifier in the certificates that it issues. Often, clients that are trying to save memory will have only the root's public key, and not the entire certificate. You can revoke a certificate, but as mentioned, revoking a public key is ... undefined.

              – Mike Ounsworth
              5 hours ago














            5














            5










            5










            CA A revokes CA B, does certificate C become invalid?




            yes, revocation cascades down to the tree. If CA certificate is revoked, all certificates below (regardless of how many levels are below CA) are implicitly considered untrusted. Keep in mind that they become *untrusted*, not revoked.




            CA A gets revoked (somehow), does its revocation cascade all the way down the chain such that certificate C is now invalid as well?




            Root CA revocation is an undefined operation. Moreover, in Microsoft certificate chaining engine's default configuration, root CA certificate is not checked for revocation at all.






            share|improve this answer

















            CA A revokes CA B, does certificate C become invalid?




            yes, revocation cascades down to the tree. If CA certificate is revoked, all certificates below (regardless of how many levels are below CA) are implicitly considered untrusted. Keep in mind that they become *untrusted*, not revoked.




            CA A gets revoked (somehow), does its revocation cascade all the way down the chain such that certificate C is now invalid as well?




            Root CA revocation is an undefined operation. Moreover, in Microsoft certificate chaining engine's default configuration, root CA certificate is not checked for revocation at all.







            share|improve this answer















            share|improve this answer




            share|improve this answer








            edited 7 hours ago

























            answered 8 hours ago









            Crypt32Crypt32

            3,0268 silver badges14 bronze badges




            3,0268 silver badges14 bronze badges















            • +1, I would add that the reason Root CAs have undefined revocation is that in most PKI specs (for example, RFC5280), a Root CA is, by definition, a public key whose hash matches the authorityKeyIdentifier in the certificates that it issues. Often, clients that are trying to save memory will have only the root's public key, and not the entire certificate. You can revoke a certificate, but as mentioned, revoking a public key is ... undefined.

              – Mike Ounsworth
              5 hours ago


















            • +1, I would add that the reason Root CAs have undefined revocation is that in most PKI specs (for example, RFC5280), a Root CA is, by definition, a public key whose hash matches the authorityKeyIdentifier in the certificates that it issues. Often, clients that are trying to save memory will have only the root's public key, and not the entire certificate. You can revoke a certificate, but as mentioned, revoking a public key is ... undefined.

              – Mike Ounsworth
              5 hours ago

















            +1, I would add that the reason Root CAs have undefined revocation is that in most PKI specs (for example, RFC5280), a Root CA is, by definition, a public key whose hash matches the authorityKeyIdentifier in the certificates that it issues. Often, clients that are trying to save memory will have only the root's public key, and not the entire certificate. You can revoke a certificate, but as mentioned, revoking a public key is ... undefined.

            – Mike Ounsworth
            5 hours ago






            +1, I would add that the reason Root CAs have undefined revocation is that in most PKI specs (for example, RFC5280), a Root CA is, by definition, a public key whose hash matches the authorityKeyIdentifier in the certificates that it issues. Often, clients that are trying to save memory will have only the root's public key, and not the entire certificate. You can revoke a certificate, but as mentioned, revoking a public key is ... undefined.

            – Mike Ounsworth
            5 hours ago














            2


















            "It depends".



            The most secure answer is "yes, it revokes the subtree", because once the "B" certificate has been revoked there's no reason to trust any certificate it claims to have issued (or any CRL it has signed, et cetera).



            But it really depends on what inputs are given to the chain builder (which means it won't be consistent from application to application).



            • If a chain trust is built without checking revocation, it'll say everything is fine.

            • If a chain trust is built only checking the End-Entity revocation, then

              • If the CA published a final CRL revoking everything then it'll say revoked.

              • Otherwise it'll say everything is fine.


            • If the chain trust is built to check revocation everywhere except the root, it'll say revoked.

            • If the chain trust is built to check revocation for the whole chain (which is sort of redundant, since the easiest way to "revoke" the root is to take it out of the trust list), it'll say revoked.

            .NET's X509Chain class defaults to checking revocation for everything except the root. Win32 CertGetCertificateChain defaults to no revocation (the revocation type has to be specified via the dwFlags parameter). Other libraries may have different defaults, and applications can configure them in a variety of ways.






            share|improve this answer






























              2


















              "It depends".



              The most secure answer is "yes, it revokes the subtree", because once the "B" certificate has been revoked there's no reason to trust any certificate it claims to have issued (or any CRL it has signed, et cetera).



              But it really depends on what inputs are given to the chain builder (which means it won't be consistent from application to application).



              • If a chain trust is built without checking revocation, it'll say everything is fine.

              • If a chain trust is built only checking the End-Entity revocation, then

                • If the CA published a final CRL revoking everything then it'll say revoked.

                • Otherwise it'll say everything is fine.


              • If the chain trust is built to check revocation everywhere except the root, it'll say revoked.

              • If the chain trust is built to check revocation for the whole chain (which is sort of redundant, since the easiest way to "revoke" the root is to take it out of the trust list), it'll say revoked.

              .NET's X509Chain class defaults to checking revocation for everything except the root. Win32 CertGetCertificateChain defaults to no revocation (the revocation type has to be specified via the dwFlags parameter). Other libraries may have different defaults, and applications can configure them in a variety of ways.






              share|improve this answer




























                2














                2










                2









                "It depends".



                The most secure answer is "yes, it revokes the subtree", because once the "B" certificate has been revoked there's no reason to trust any certificate it claims to have issued (or any CRL it has signed, et cetera).



                But it really depends on what inputs are given to the chain builder (which means it won't be consistent from application to application).



                • If a chain trust is built without checking revocation, it'll say everything is fine.

                • If a chain trust is built only checking the End-Entity revocation, then

                  • If the CA published a final CRL revoking everything then it'll say revoked.

                  • Otherwise it'll say everything is fine.


                • If the chain trust is built to check revocation everywhere except the root, it'll say revoked.

                • If the chain trust is built to check revocation for the whole chain (which is sort of redundant, since the easiest way to "revoke" the root is to take it out of the trust list), it'll say revoked.

                .NET's X509Chain class defaults to checking revocation for everything except the root. Win32 CertGetCertificateChain defaults to no revocation (the revocation type has to be specified via the dwFlags parameter). Other libraries may have different defaults, and applications can configure them in a variety of ways.






                share|improve this answer














                "It depends".



                The most secure answer is "yes, it revokes the subtree", because once the "B" certificate has been revoked there's no reason to trust any certificate it claims to have issued (or any CRL it has signed, et cetera).



                But it really depends on what inputs are given to the chain builder (which means it won't be consistent from application to application).



                • If a chain trust is built without checking revocation, it'll say everything is fine.

                • If a chain trust is built only checking the End-Entity revocation, then

                  • If the CA published a final CRL revoking everything then it'll say revoked.

                  • Otherwise it'll say everything is fine.


                • If the chain trust is built to check revocation everywhere except the root, it'll say revoked.

                • If the chain trust is built to check revocation for the whole chain (which is sort of redundant, since the easiest way to "revoke" the root is to take it out of the trust list), it'll say revoked.

                .NET's X509Chain class defaults to checking revocation for everything except the root. Win32 CertGetCertificateChain defaults to no revocation (the revocation type has to be specified via the dwFlags parameter). Other libraries may have different defaults, and applications can configure them in a variety of ways.







                share|improve this answer













                share|improve this answer




                share|improve this answer










                answered 8 hours ago









                bartonjsbartonjs

                1,0764 silver badges7 bronze badges




                1,0764 silver badges7 bronze badges































                    draft saved

                    draft discarded















































                    Thanks for contributing an answer to Information Security Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219353%2fif-you-revoke-a-certificate-authoritys-certificate-do-all-of-the-certificates%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown









                    Popular posts from this blog

                    Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                    Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                    199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單