Revoking a Certificate

A user must hold the Certificate Manager role to be able to revoke certificates. Just as you should not issue certificates in an arbitrary manner, you should not revoke certificates in an arbitrary manner. If possible, your organization should develop a certificate revocation policy that clearly details the reasons and situations for which issued certificates are revoked. These policies are a necessity for organizations that might be legally liable for the consequences of certificate revocation . For example, if a CA issues an SSL certificate to an e-commerce site, revoking that certificate will have an impact on the function of that business . If the revocation cannot be justified, your organization can be legally liable for loss of income. To revoke a certificate, right-click it in the list of issued certificates in the Certification Authority console and, from All Tasks, select Revoke Certificate . As Figure 7-16 shows, a dialog box asks you to provide a reason when you revoke a certificate . You can provide the following reasons:

■ Key Compromise Select this reason if you suspect that the private key associated with the certificate has been compromised. Use this reason to revoke all keys related to a laptop that had been lost or stolen, for instance .

■ CA Compromise Select this reason if you suspect that a subordinate CA has been compromised and want to revoke that CA's signing certificate . This invalidates all certificates issued by that CA, including the certificates of any CA below it in the hierarchy.

■ Change of affiliation Select this reason when the person to whom you issued the certificate leaves or changes his or her role within your organization.

■ Superseded Select this reason when an updated certificate has been issued, perhaps with improvements to the certificate template, and you want to invalidate any previously issued certificates used for the same purpose.

■ Cease of Operation Select this reason when revoking a computer certificate assigned to a computer that is being decommissioned. For example, your organization is decommissioning an e-commerce Web site because of a brand-name change, and you want to revoke the SSL certificate assigned to that site.

■ Certificate Hold Select this reason to place certificates on hold status . This means that the certificate is not validated, but it also has not been fully revoked. It is possible to undo this status by assigning the RemoveFromCRL status, which can be assigned only to certificates placed on hold.

■ Unspecified This reason is assigned when a specific revocation code is not applicable The drawback of this category is that it does not allow auditors to determine why a particular certificate has been revoked if that decision is queried later.

Certificate Revocation

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment