A customer has lost the backup of it's own offline PKI Root Server (Windows 2003). As a security precaution we want to revoke the current root and issuing certificates.
In our test environment we already managed to create a new root certificate and a new issuing certificate. We also placed the old issuing certificate on the CRL, which we published. Now we can see that the old issuing certificate is revoked.
I was wondering if it is also possible to place the old Root certificate on the CRL (somehow)? Or must you move it to the Untrusted folder on all (AD) clients?
Are there any other precautions we should take?
The idea is to this also on the production environment asap, only after everything is figured out :)