Can you revoke a root certificate?

A customer has lost the backup of it's own offline PKI Root Server (Windows 2003). As a security precaution we want to revoke the current root and issuing certificates.
In our test environment we already managed to create a new root certificate and a new issuing certificate. We also placed the old issuing certificate on the CRL, which we published. Now we can see that the old issuing certificate is revoked.
I was wondering if it is also possible to place the old Root certificate on the CRL (somehow)? Or must you move it to the Untrusted folder on all (AD) clients?
Are there any other precautions we should take?
The idea is to this also on the production environment asap, only after everything is figured out :)

Hi,
Just checking in to see if the suggestion was helpful. Please let us know if you would like further assistance.
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
Regards, Yan Li

Similar Messages

HT5012 Can I install two root certificates with the same name in iPad?

Can I install two root certificates with the same name in iPad?

Antaeus00 wrote:
I tried sending a request for help,
But did you succeeed in sending a request for help?
Did you receive a response? How long has it been since you sent a request?
but I need someone with more authority to talk to.
There is no one with more authority than iTunes store support. We herem are only users.

How can i insert a root certificate into firefox data base

We are a software development company, we launched an app that is called SAINT, its an internet filters that monitors web traffic, www.saintapp.com, we use a certificate that when going to secure sites, like, hotmail, gmail, aolmail, yahoo mail, banks, etc, it will display an Untrusted connection message and we have to add an exception to continue, that is because firefox uses it own certificate database and does not use microsofts, our app incerts the certificate into microsoftsdata base, how can insert our certificate into Firefox database? or can we sent to you the certificate and you can insert it into your database and release an update? what can we do?
please advice

Ok,
Replace array subset is what I was looking for I think. I'll try it out.
What I meant earlier is; if you have the array (with row indexing on the left)
0: 1 1 1 1
1: 2 2 2 2
2: 3 3 3 3
3: 4 4 4 4
And you want to put 8888 into array with the insert into array vi, at row 2, it becomes
0: 1 1 1 1
1: 2 2 2 2
2: 8 8 8 8
3: 3 3 3 3
4: 4 4 4 4
But I want it to look like
0: 1 1 1 1
1: 2 2 2 2
2: 8 8 8 8
3: 4 4 4 4
So I have overwritten row 2, taking into account array indexing starts at 0 :-)

How can I import CA root certificate into Nokia 62...

I need to receive e-mail via IMAP over SSL connection with self-signed server certificate. When I'm trying to download exported certificate in X.509 binary format (*.cer or *.der) I can see all certificate details but I can not save it - phone reports "Security module error".
There is an inactive "Security module settings" menu item in Settings->Security. When I try to choose it phone says "Insert security module".
My phone is Nokia 6233 with 5.43 f/w.
What can I do?

I'm having the same problem on my Nokia 6131
Nahuel
Nokia 5165 / 1100 / 6560 / 6131 / 5130 / E71 / C6-00 / C7 / E7-00 (My 9th Nokia)

Revoked Issuing CA Certificate still showing as valid

Hi There.
I have an Intermediate CA (Enterprise) and an Offline root CA, both running Windows CA.
The Intermediate CA's first cert was revoked and the Root CA's CRL with the revoked cert published.
A new cert was issued to the Intermediate CA, so now I can see both:
I have cleared the CRL cache with the command:
certutil -setreg chain\ChainCacheResyncFiletime @now
on my workstation and did a check on the certificate #0. It still shows as valid.
I have checked the serial number and made sure that the serial is in the root ca's revocation list.
What am I missing?
Thank you.

Hi,
We cannot revoke root certificates since root certificates are excluded from revocation checking.
As far as I know, we should leave the former CA certificate there, since former CRL requires the old certificate for signing; even after the former CA certificate expire, it can be used for digital signature verification.
Here are some similar threads below for you:
Can you revoke a root certificate
https://social.technet.microsoft.com/Forums/windowsserver/en-US/3941e831-b477-4998-8145-445c56783436/can-you-revoke-a-root-certificate?forum=winserversecurity
How to remove an expired certificate from a RootCA
https://social.technet.microsoft.com/Forums/windowsserver/en-US/48958ec4-330e-43df-9ecf-6d23a6c05b7b/how-to-remove-an-expired-certificate-from-a-rootca?forum=winserversecurity
Clean up multiple Root Certificates from a CA
https://social.technet.microsoft.com/forums/windowsserver/en-US/c5c29079-fe41-44aa-a4ff-f8ba976a8018/clean-up-multiple-root-certificates-from-a-ca
Cleanup of Issuing CA Certificates
https://social.technet.microsoft.com/Forums/windowsserver/en-US/0b8eea11-3a9b-49e6-abe9-b09de203231a/cleanup-of-issuing-ca-certificates?forum=winserversecurity
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

HT5557 Can you buy gift certificates for specific books in iTunes Store?

Can you buy a gift certificate for a specific book in the iTunes Store? If so, can you print it? If the recipient does not want the book, can he or she get iTunes credit instead?

You can try leaving feedback for Apple : http://www.apple.com/feedback/itunesapp.html

Can you have two Enterprise CA on the same AD Domain at the same time

Hello
Can someone please help me with the following question
If I have a Windows 2003 R2 Enterprise Root CA on the AD Domain can I also Add a separate Windows 2012 R2 Enterprise Root CA to the same domain.
We do not use Autoenrollment on the existing 2003 R2 CA.
Network guys want to introduce a Cisco BYOD (Bring Your Own Devise) solution using Cisco ISE (Identity Services Engine) which uses SCEP/NDES and therefore need certificates from CA. The thing is the ISE recommend 2008 AD CS as a minimum
Therefore I wonder if Installing a 2012 R2 Root CA that only provides certificates via the NDES/ISE solution would be a possibility.
I understand the Root CA Cert is held in a container under the 'Configuration' partition in Active Directory. Therefore can you have Two Root CA certs in the AD container at the same time for the same AD Domain/Forest?
The idea would then be to migrate other services to the new CA and phase out the old 2003 R2 CA over time.
Thanks All
AAnotherUser__
AAnotherUser__

On Thu, 18 Sep 2014 09:18:43 +0000, AAnotherUser wrote:
Therefore can you have Two Root CA certs in the AD container at the same time for the same AD Domain/Forest?
Yes.
Paul Adare - FIM CM MVP
You are trapped in a maze of screens and ssh sessions all alike.
It is dark, and you are likely to log off the wrong account. -- Nep

How to import a Root Certificate Authority for signing

How can I import a Root Certificate Authority in order to use it with Certificate Assistant as a CA to sign other certs?
I have the CA cert imported in keychain along with it's associated private key (from a .p12), it's got the gold icon and is recognized as a Root certificate authority, yet Certificate Assistant will not list it as an available Root CA in the "Set Default CA" action dialog, the "Add..." dialog seems only interested in a ".certAuthorityConfig" plist file.
Do I have to generate a certAuthorityConfig for the CA? I can't seem to find a way to do that. No clues from certtool & security CLI utils even.
Any info/leads on how to get this to work would be much appreciated.
Regards,
-david

Hi Alex,
From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643
Thanks,
Olivier

Create client vpn package before or after upload root certificate

Hi everyone,
I am building funtion create client vpn package base on os bit (64 or 32) to connect point to site of azure virtual network
I want to ask somebody
Create client vpn package before or after upload root certificate?
If i upload root certificate, funtion return error 404
if i do not upload root certificate and run funtion generate
funtion return status code is accept
correct resuft follows msdn is created
althought request body is correct
ResponseUri = {https://management.core.windows.net/29976d9e-898b-46ab-9f80-6238b4f1725e/services/networking/quyen_network/gateway/vpnclientpackage}
<VpnClientParameters>
<ProcessorArchitecture>Amd64</ProcessorArchitecture>
</VpnClientParameters>Thanks for you supports,Hoa Nguyen

Hi Hoa Nguyen,
I'm assuming you are creating a Point-to-Site VPN Connection, for which the steps would be:
Configure a Virtual Network and a Dynamic Routing Gateway.
Create your Certificates.
Configure your VPN Clients.
So to answer your question, you would upload the root certificate before you create the client VPN Package.
You could refer the following link for details:
https://msdn.microsoft.com/en-us/library/azure/dn133792.aspx
Would you be able to provide us the complete error message you get when you upload the root certificate?
Regards,
Malar.

Installing Root Certificate? 10.4.11 Where do I look for this.

Hello, I am setting up a new email (Entourage 2004) account and am getting Error #156 "cannot connect to server because you have no root certificate installed." What the heck is that? Never heard of it. Someone at Midphase told me to sign up for an SSL certificate but I don't know what that means. Really would appreciate some input. Thanks!

Okay Dave, I see. But, are you saying I have to call my ISP for a trusted cert? Not my host for my site but my guys for how I get on the internet which in my case is toast.net Right? Will they have a clue as to what I'm talking about? T.

What would make a PC decide that an SBS self-signed root certificate is revoked because it cannot contact the CRL distribution point?

I'm puzzled. Scenario is SBS 2008 with some web applications published to the internet over https. Users who access these have the SBSCertificate.cer (expiry 2018) installed in the Trusted Root Certificates store for their local PC. This used to work
fine, and in fact it still works fine for me, from my own non-domain joined PC connecting over the internet. However some users are now getting a "certificate revoked" error and cannot connect to the applications. Using Certificate Manager on these
client PCs, the properties for this certificate state that it is revoked. It is not in fact revoked, but the CRL is on a local network that is inaccessible from outside (no VPN). Why is this certificate accepted as OK by some external PCs, but not by others,
what is the setting that determines this?
Tim

Hi Tim,
Based on your description, would you please let me confirm something more?
1. "However some users are now getting a "certificate revoked" error and cannot connect to the applications."
Please let me know the complete error message.
2. Based on your description, I understand that this issue just occurred in some client computers. Other computers still run as normal. Would you please compare some configurations
of the problematic computer with a good one? Any update, please feel free to let me know.
Please refer to the following KB and articles and check if can help you.
IIS returns HTTP "403.13 Client Certificate Revoked"
error message although certificate is not revoked
Understanding
Certificate Revocation Checks
How Certificate Revocation Works
Hope this helps.
Best regards,
Justin Gu

Go Daddy UCC Certificate: "ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update"

Hello,
I have this issue regarding certificate chains while performing Outlook Anywhere connectivity test
by Microsoft Remote Connectivity Analyzer:
"ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled."
Note: even if I got the error, Outlook Anywhere and
ActiveSync services work fine.
Environment:
- Exchange 2007 with SP3
- Go Daddy Multiple Domains UCC certificate (up to 5 Subject Alternative Names)
I already read and followed instructions on this TechNet post
Can I safely ignore this warning about the SSL cert? Using GoDaddy UCC cert but it is a little bit different by this case.
So after an investigation I understand the issue above is related to SSL certificate
Certification Path (see screenshots below).
NO ERRORS on ExRCA checking
Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
repository
Go Daddy Class 2 Certification Authority is under Intermediate Certification Authorities
repository
Starfield Technologies (http://www.valicert.com)
is under Trusted Root Certification Authorities repository
ERROR on ExRCA checking
Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
repository
Go Daddy Class 2 Certification Authority is under Trusted Root Certification Authorities
repository
Can you add some useful information ?
I'm opening a support ticket at Go Daddy; I hope they could me some positive feedbacks.
Regards,
Luca Fabbri
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

Strange I have a feeling the exrca tool can't validate the godaddy class2 root authority due some older compability and wants to use the older original root authority valicert owned godaddy. Or when the exrca tool is validating the root CA it only has the
goaddy class2 root ca that was issued by valicert and not the standalone cert when doing the comparision. I sent the question to MS and will let you know when I hear back.
You can get rid of it
https://certs.godaddy.com/anonymous/repository.seam
Download the cert
◦gd_cross_intermediate.crt
Then import it into the trusted root cert authority on your CAS boxes. Then you need to delete the other godaddy class2 root authority. Make sure you see the one you imported both will be named goaddy class2 root authority but one will be issued by valicert.
Re-run the test and it will go away, I also saw the error with my domain as well using godaddy and got rid of it by using the new cert authority.
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi sir i have revoked the distribution certificate , and in one of my iPhone app i had used the same certificate if i will upload the next version of same app then will it create any problem or with the new certificate i can upload my next version of myap

hi sir i have revoked the distribution certificate , and in one of my iPhone app i had used the same certificate if i will upload the next version of same app then will it create any problem or with the new certificate i can upload my next version of myapp or not plz tell me as soon as possible

Sounds like you need to ask your question in the developers forums.

Since the most recent Firefox update 3.6.8 by banking institution no longer shows as having a secure encrypted connection, however, my bank assures me all is well with their certificates and that is a problem with the new Firefox browser update, can you g

Since the most recent Firefox update 3.6.8 my banking institution no longer shows as having a secure encrypted connection, however, my bank assures me all is well with their certificates and that is a problem with the new Firefox browser update, can you give me some idea why it is doing this?
== This happened ==
Every time Firefox opened
== Right after the new Firefox update

Hello Anne.
Can you please try it in a new (temporary) Firefox profile and see if the issue is still present? See [http://support.mozilla.com/en-US/kb/Managing+profiles this article] to know how to create a new Firefox profile. Please report back the results.

Can't find Root certificate update (KB931125) in SCCM

Hi!
As the thread title says, i can't find the update for new root certificate in the SCCM console but i can see it in the WSUS console. I am in the middle of migrating from 2007 to 2012 so i have two envrionments and in 2007 i can see one update. Windows 7[April
2012] which is expired. If i check in WSUS console i can see that there is one for March 2014.
In my 2012 environment I can see the same updates in WSUS but no one appear in SCCM console.
I synchronize Windows 7 products and all classifications but Tools and drivers.
I have created a searchfolder where with the criteria where ArticleID equals to 931125 and i can only find the expired update from April 2012.
I'm not sure how I can troubleshoot this?
Thanks!
EDIT: I forgot to mention that the synchronization of new updates is working just fine, its just this update i can't get into the sccm console.

Honestly, I think this is a bug and should be reported to CSS. The November 2013 edition of this update is valid but they unfortunately expired a later revision of the update (April 2014) and I think that this is/may be throwing off the sync between
ConfigMgr and WSUS as it's not a normal scenario.
Jason | http://blog.configmgrftw.com

Can you revoke a root certificate?

Similar Messages

Maybe you are looking for