Defining Conditions for Certificate Revocation

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Not all PKIs need to be supported by the publication of CRLs. For example, if your certificates provide only a low- or medium- level of security and are unlikely to be misused, or if they have short lifetimes, there might not be a need to create and distribute lists of revoked certificates. If, on the other hand, your certificates have a high perceived value and a lifetime that is long enough to cause potential misuse, you need to create and distribute certificate revocation lists on a regular basis.

Before you create certificate revocation schedules, define all the circumstances that justify the revocation of certificates in your organization. For example, you might choose to revoke certificates for any of the following reasons:

  • An unauthorized user has gained access to the private key of the certificate.

  • An unauthorized user has gained access to the CA. In this case, all the certificates that the CA has published must be revoked and reissued.

  • Certificate criteria have changed; for example, an employee has moved to a different department.

  • The certificate has been superseded. For example, you might decide to use a different encryption protocol or a longer key.

  • The CA that issued the certificate is no longer operating.

  • The status of the certificate is on hold. When a certificate has been revoked, it cannot be renewed. However, if the status of a certificate is questionable, you can revoke it and then rescind the revocation if necessary, or re-revoke it for another reason.

    Note

    • Use Certificate Hold sparingly because issues can develop involving the period that the certificate was on hold. For example, if a certificate was on hold for three hours but the hold is then removed, attempts to use the certificate during the hold period can yield unexpected results.

  • Users misuse their security permissions or the private keys of users are compromised (a smart card is lost, for example).

  • A computer is replaced or permanently removed from service, or the private key of the computer is compromised.

Note

  • A root certificate cannot be revoked by means of a CRL because a root CA is self-signed. A CRL includes only certificates that are issued by a dedicated CA. The alternative is to revoke all the certificates issued by the root CA. The CA certificate becomes obsolete if there are no more valid certificates.