Back to All Scenarios
PASSEDserver / internal_ca_chain_broken
Internal CA Certificate Chain Broken
The internal enterprise CA intermediate certificate is revoked by mistake during a PKI cleanup. All certificates issued by the intermediate CA are now untrusted. Internal web apps, RADIUS 802.1X auth, and LDAPS all fail certificate validation.
Pattern
CERTIFICATE_EXPIRY
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | CERTIFICATE_EXPIRY | CERTIFICATE_EXPIRY | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 30 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Windows AD CS two-tier PKI. Root CA offline. Intermediate CA 'Corp-SubCA-01' certificate revoked in CRL. 200+ certificates issued by SubCA. RADIUS using SubCA-issued cert. LDAPS on DCs using SubCA-issued certs.
Injected Error Messages (3)
Internal CA certificate chain broken — intranet.corp.local certificate expired or untrusted, intermediate CA 'Corp-SubCA-01' revoked in CRL, certificate chain validation failed, CRYPT_E_REVOKED, all SubCA-issued certificates invalid
RADIUS 802.1X authentication failing — server certificate chain broken, cert expired on intermediate CA, EAP-TLS handshake failure, supplicants rejecting server cert, 200+ devices failing wireless/wired authentication
LDAPS connection failures to DC-01 — domain controller certificate expired in chain, certificate chain broken, LDAP connections rejected by clients, Schannel error 36887: fatal alert received from remote endpoint
Neural Engine Root Cause Analysis
The intermediate Certificate Authority 'Corp-SubCA-01' has been revoked and appears in the Certificate Revocation List (CRL), causing all certificates issued by this SubCA to become invalid. This is not a simple certificate expiration but a more serious CA infrastructure issue where the intermediate CA itself has been compromised or revoked. The cascade of 12 correlated incidents confirms that all services using certificates issued by Corp-SubCA-01 are affected simultaneously.
Remediation Plan
1. Verify the status of Corp-SubCA-01 in the CRL and determine if revocation was intentional or accidental. 2. If accidental, work with PKI administrators to remove Corp-SubCA-01 from CRL and redistribute updated CRL. 3. If intentional (due to compromise), generate new intermediate CA and reissue all affected certificates. 4. Update certificate stores across all affected systems. 5. Restart affected services to reload new certificates. 6. Verify certificate chain validation across all impacted services.
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmncjicr301qtobqehu6sej8f