Decommissioning an Enterprise CA - How will Workstations react to a mass revoke?


  • I have inherited a small CA setup which includes a standalone root and three issuing CA's all running on Windows 2003.  I'm looking to upgrade this environment to Windows 2012.  Very new to CA's in general but so far fairly comfortable with the steps I am reading about.

    We use these CA's primarily to issue computer and user certificates for Wireless access.

    Ideally I would like to decommission one of the issuing CA's and then move one of the two remaining ones to our backup datacenter (so I would have one active one per datacenter).  Based on load this seems feasible but my question is around the real world scenario that will occur when I decommission one of the CA's.

    I understand the steps are to revoke all certs issued by that CA, publish a CRL and make sure the expiration of the CRL is past the expiration date of the newest certificate issued.  What I want to know is what will happen when a laptop gets hit with this, I'm assuming it will drop off the wireless network and do nothing until I plug it in again?  When a Windows machine gets a cert revoked, does it attempt to do a renewal before just dropping it?

    We use a GPO with Certificate autoenrollment settings that get certs when the machine is first built.  I understand the mechanism when a cert is EXPIRING that will have it renew, but I can't picture what will happen if one is REVOKED...will the machine simply autoenroll a new one thanks to the GPO?

    My best guess is that wireless will break until the machine is logged in via a wired connection but would love to hear if anyone has gone through this and knows for sure.

    Tuesday, January 28, 2014 8:42 PM