If you revoke a certificate authority's certificate, do all of the certificates it issued become invalid as well?

CA A revokes CA B, does certificate C become invalid?

Yes, revocation cascades down to the tree. If CA certificate is revoked, all certificates below (regardless of how many levels are below CA) are implicitly considered untrusted. Keep in mind that they become *untrusted*, not revoked.

CA A gets revoked (somehow), does its revocation cascade all the way down the chain such that certificate C is now invalid as well?

Root CA revocation is an undefined operation within RFC5280. In this case, the CA puts its certificate (serial number) in its own CRL and signs with its own key. And now we have a chicken-egg problem:

The CA cert is revoked (listed in CRL), but the CRL is signed with a revoked key, so we can't trust this CRL and get a definitive answer about whether the root certificate is revoked. This problem is often solved by not checking root CA revocation using RFC5280 techniques. For example, in Microsoft's certificate chaining engine default configuration, root CA certificates are not checked for revocation at all.

Such cases (root CA revocation) are handled differently, using OOB processes, by maintaining a list of explicitly trusted anchors (root certificates) and removing a bad CA cert from the list.


"It depends".

The most secure answer is "yes, it revokes the subtree", because once the "B" certificate has been revoked there's no reason to trust any certificate it claims to have issued (or any CRL it has signed, et cetera).

But it really depends on what inputs are given to the chain builder (which means it won't be consistent from application to application).

  • If a chain trust is built without checking revocation, it'll say everything is fine.
  • If a chain trust is built only checking the End-Entity revocation, then
    • If the CA published a final CRL revoking everything then it'll say revoked.
    • Otherwise it'll say everything is fine.
  • If the chain trust is built to check revocation everywhere except the root, it'll say revoked.
  • If the chain trust is built to check revocation for the whole chain (which is sort of redundant, since the easiest way to "revoke" the root is to take it out of the trust list), it'll say revoked.

.NET's X509Chain class defaults to checking revocation for everything except the root. Win32 CertGetCertificateChain defaults to no revocation (the revocation type has to be specified via the dwFlags parameter). Other libraries may have different defaults, and applications can configure them in a variety of ways.

Tags:

Public Key Infrastructure

X.509

Related

Does code obfuscation give any measurable security benefit? How does a CDN actually prevent DDoS attacks, when an origin server accepts direct connections? If we should encrypt the message rather than the method of transfer, why do we care about wifi security? Is this just security theatre? Is it safe to pay bills over satellite internet? Why are KDFs slow? Is using a KDF more secure than using the original secret? Is storing files under a web server root unsafe if it is handled by PHP and blocked by the web server site configuration file? SSH from a shared workplace computer How can I verify my browser/OS's top level certificate? Should I be able to see patterns in a HS256 encoded JWT? Why do many websites hide input when entering an OTP? Can A chain of exploits count as a CVE? Why using the premaster secret directly would be vulnerable to replay attack?

Recent Posts