none
force removal of revoked certificates...

    Question

  • I have revoked several certificates and want the server they are installed on to automagically delete them.  I have the setting in group policy to automatically remove revoked but it isn't working as I expect.  I issued 'gpupdate /force' and it still doesn't remove them.  To take it a step further the certificate still says it's "OK" when I check the "Certificate Status."  I also already published a CRL at the CA and checked the CRL distribution point as specified in the certificates in question and the CRL lists all of the certificates correctly.  So... what gives?  How do I get this thing to really remove revoked certificates?  TIA.
    Friday, September 05, 2008 4:26 AM

Answers

  • GPO is only a part of the equation. In the certificate template (assuming v2 since you are talking about autoenrollment), ensure that the Request Handling tab is configured to Delete revoked or expired certificates (do not archive).
    This is the switch that is used by autoenrollment (and normal enrollment) to determine whether to remove the certificate from the store or not. But, I have typically seen this happen during renewals.

    How are you checking certificate status? If it is just viewing the certificate by double-clicking, then this is expected behavior. The display of certificates in the UI does not validate the certificate for revocation (only expiration).

    To really test it, run certutil -verify <certfile.crt> or certutil -verify -urlfetch <certfile.crt> (to not use cached CRLs).
    This will give you a true revocation.

    Finally, why do you want to remove them. Hopefully they are just signing certificates. You never want to remove encryption certs (Unless you intend to remove access to any files encrypted with the cert)
    Brian
    Sunday, September 07, 2008 4:55 PM

All replies

  • GPO is only a part of the equation. In the certificate template (assuming v2 since you are talking about autoenrollment), ensure that the Request Handling tab is configured to Delete revoked or expired certificates (do not archive).
    This is the switch that is used by autoenrollment (and normal enrollment) to determine whether to remove the certificate from the store or not. But, I have typically seen this happen during renewals.

    How are you checking certificate status? If it is just viewing the certificate by double-clicking, then this is expected behavior. The display of certificates in the UI does not validate the certificate for revocation (only expiration).

    To really test it, run certutil -verify <certfile.crt> or certutil -verify -urlfetch <certfile.crt> (to not use cached CRLs).
    This will give you a true revocation.

    Finally, why do you want to remove them. Hopefully they are just signing certificates. You never want to remove encryption certs (Unless you intend to remove access to any files encrypted with the cert)
    Brian
    Sunday, September 07, 2008 4:55 PM
  • I have exactly the same issue. But I am unable to select "Delete revoked or expired certificates (do not archive)", the selection is greyed out. You only have this option when you change the purpose to "Signature" instead of "Signature and encryption".

    I have applied autoenrollment of Computer (Version 3) certificates. When I revoke a certificate, for whatever the reason is. I want it to be automatically deleted on the server. This also counts for manually added Web Server (Version 3) certificates and such.

    Any suggestions?
    Tuesday, December 15, 2009 7:06 PM
  • If the purpose includes Encryption at all then you can't automatically delete certificates for any reason. There's no way around this.


    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, December 15, 2009 8:14 PM
  • Ok clear. Only one thing. Yesterday I duplicated a certificate (User and Computer) and changed it to "Signature" only. I have aslo checkmarked "Delete revoked or expired certificates (dot not archive)" on these templates. Then I autoenrolled both type of certificates to a server and user. Then I revoked both certificates. But these certificates where not removed automatically.

    It is probably something simple. But sofar I have not seen a single certificate being removed automatically.

    Boudewijn

    Wednesday, December 16, 2009 1:07 PM
  • I'm having the same issue as well.  I am issueing a machine certificate in the local computer store to perform WPA2 802.1x authentication. I'm am currently testing the process of revoking a certificate from the CA thus, kicking it off of our network.  Just a few questions:

    #1. I'm wondering what exactly happens on the client when you revoke a certificate. Does it get deleted from the client if I have the template configure as above?

    #2. What happens when that certificate is expired. Does it get a replaced by autoenrollment?

    #3. I found that if a machine gets wiped and rejoined to the domain that the CA issues a new certificate with the same common name. Is there a some function that could revoke the old certificates "automagically"?

    Cheers,
    Scott
    Monday, December 28, 2009 8:41 PM

  • #1. I'm wondering what exactly happens on the client when you revoke a certificate. Does it get deleted from the client if I have the template configure as above?


    When you revoke a certificate, nothing happens at the client. It is only when the client enrolls for a new certificate based on the template that the old certificate is deleted.


    #2. What happens when that certificate is expired. Does it get a replaced by autoenrollment?
    Again, this depends on the configuration of your network. The answer is yes if you have enabled Read, Enroll, and Autoenroll permissions for the target computer, and GPO allows autoenrollment. Then the autoenrollment attempts kick off at 80% (by default) of the remaining lifetime of the existing certificate. When enrolled, the old certificate is then deleted (if the certificate template is configured so).



    #3. I found that if a machine gets wiped and rejoined to the domain that the CA issues a new certificate with the same common name. Is there a some function that could revoke the old certificates "automagically"?
    No. You would need to use software such as ILM to define provisionoing and deprovisioning processes that include using the CLM MA to initiate a revoke sequence. Since you probably have techs who just "do it", then the answer is no.

    Brian
    Tuesday, December 29, 2009 2:12 PM