I have inherited a small CA setup which includes a standalone root and three issuing CA's all running on Windows 2003. I'm looking to upgrade this environment to Windows 2012. Very new to CA's in general but so far fairly comfortable with the
steps I am reading about.
We use these CA's primarily to issue computer and user certificates for Wireless access.
Ideally I would like to decommission one of the issuing CA's and then move one of the two remaining ones to our backup datacenter (so I would have one active one per datacenter). Based on load this seems feasible but my question is around the real
world scenario that will occur when I decommission one of the CA's.
I understand the steps are to revoke all certs issued by that CA, publish a CRL and make sure the expiration of the CRL is past the expiration date of the newest certificate issued. What I want to know is what will happen when a laptop gets hit with
this, I'm assuming it will drop off the wireless network and do nothing until I plug it in again? When a Windows machine gets a cert revoked, does it attempt to do a renewal before just dropping it?
We use a GPO with Certificate autoenrollment settings that get certs when the machine is first built. I understand the mechanism when a cert is EXPIRING that will have it renew, but I can't picture what will happen if one is REVOKED...will the machine
simply autoenroll a new one thanks to the GPO?
My best guess is that wireless will break until the machine is logged in via a wired connection but would love to hear if anyone has gone through this and knows for sure.
Based on my research, after certificates are revoked, until the clients load the latest CRL and recognize these certificates are revoked, they won’t enroll new certificates; and before
the former CRL expires, revoked certificates stay valid.
Here are some related threads below for your references:
Revoked certificate but RDP client access is possible
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.