4

My Win2012R2 Subordinate Enteprise CA certificate has expired. I already have a new one working. How can i remove the expired certificate? I see the expired certificate on the general tab of MMC CA console of the Enterprise CA but it does not have any remove option.

I have to revoke it on the offline CA Root so it disappears from the Enerprise CA?

This is a regular operation and i dont see any information in the net saying how the expired certificate is removed or revoked from the enterprise CA.

Bit Cat
  • 41
  • 1
  • 1
  • 2
  • Yes, you need to revoke it at the offline root CA. The issuing authority for the certificate has to revoke it, which in this case is that root CA. – Mary Jul 24 '15 at 22:40
  • Mary, you are incorrect. You don't need to revoke expired CA certificate unles its key is compromised or the server is decommissioned. – Crypt32 Jul 25 '15 at 10:38

1 Answers1

4

No, you should not remove or revoke expired CA certificate. It is used to sign CRLs for that CA cert key. It is important, when there are signing certificates, which can be validated even after entire chain expiration. This is why there is no button to remove the certificate.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • After CA certificate is expired, CRL can not be issued/signed any more, and there is no need for it to be re-published. For later revocation checking, it is enough to have the last signed CRL published at CDP address. But non repudiation signatures cannot rely upon CRL to be available online all the time, therefore exists standards like CAdES, XAdES and similar. – Bit Cat Jul 31 '15 at 20:55
  • "After CA certificate is expired, CRL can not be issued/signed any more", it is incorrect, Windows CA signs and publishes CRLs even after previous CA certificate expiration. – Crypt32 Aug 01 '15 at 12:28