I'm having a problem with revoking a computer certificate. The Local CA is newly created and auto enroll was setup and the certificates were created on computers. When the cert is revoked the CRLs are updated., but the cert isn't removed from computer and anew one is re-issued. We are planing to use the cert for 802.1x.

I'm having a problem with revoking a computer certificate. The Local CA is newly created and auto enroll was setup and the certificates were created on computers. When the cert is revoked the CRLs are updated., but the cert isn't removed from computer and anew one is re-issued. We are planing to use the cert for 802.1x.

I'm having a problem with revoking a computer certificate. The Local CA is newly created and auto enroll was setup and the certificates were created on computers. When the cert is revoked the CRLs are updated., but the cert isn't removed from computer and anew one is re-issued. We are planing to use the cert for 802.1x. The GPO settings are the following: The GPO settings are the following:

I'm having a problem with revoking a computer certificate. The Local CA is newly created and auto enroll was setup and the certificates were created on computers. When the cert is revoked the CRLs are updated., but the cert isn't removed from computer and anew one is re-issued. We are planing to use the cert for 802.1x. Here is ADCS CDP, AIA and CRL:

For Autoenrollment to remove expired or revoked certificates the certificate template need to support/enable autoenrollment and is published on an enterprise CA. /Hasain

The template is a copy of the machine template and was saved as a 2003 template version. The template was setup for auto-enrollment with perimission for Domain Computers. The template has the option Delete revoked and expired certificates (Do not archive). And the template is published. A GPO was setup that contains settings for Certificate Services Client - Auto-Enrollment (with Renew expired certificate, update pending, update pending certificatate, and remove revoked certificate and Update certificates that use certificate templates) and CertifcateServices Client - Certificate Enrollment Policy (Set to LDAP with AD). The CA is a Enterprise CA runing 2008 R2 DataCenter in a 2003 domain. The systems auto-enroll and get the certificate using the template in the correct store. 802.1x works correctly and blocks when the cert is revoked. When I modified the template to expire in a week and have the machine enroll, the cert also doesn't remove either. When checking the status of the certs using certutil, they come back with the correct status of revoked or expired. I need to have the certs update when expiring and the ability to connect to a port not configured with 802.1x and the machine delete the revoked cert and re-enroll for a new cert. What options are needed to be configured in the template?

The options you have configured are just what is required to enable autoenrollment and all related activities including the reissue of expired or renewal of expiring certificates. Is the problem that expired certificates are not removed from the store although new ones are issued/reissued? /Hasain

The revoked or expired certificates are still in the store and no new certificates are issued to the systems in the store. I verified at the CA and there are no new certificates for the systems.

If initial autoenrollment is working properly, renewal of expired certificates should be as automatic as the initial enrollment. Re-issuance of revoked certificates requires the client to load and refresh the latest CRL to recognize the revoked certificate. Try issuing the following command to clear the CRL cache on the client: certutil -urlcache * delete /Hasain

If initial autoenrollment is working properly, renewal of expired certificates should be as automatic as the initial enrollment. Re-issuance of revoked certificates requires the client to load and refresh the latest CRL to recognize the revoked certificate. Try issuing the following command to clear the CRL cache on the client: certutil -urlcache * delete /Hasain