Automatically revoke user certificate on delete?
It is useless. Because no one can use it (because user account is either disabled or removed). Also, you will increase CRL size and increase CRL retrieval timeouts and network bandwidth. There are no additional security layers when you revoke user certificate.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
May 8th, 2012 11:58pm

Thanks, I wasn't sure if it was possible to abuse a non-expired user certificate for a user that no longer exists.
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 8:50am

it is possible, but useless.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
May 9th, 2012 9:28am

Is it possible to automatically revoke a user certificate from my internal Windows CA when that user is deleted from Active Directory? I am testing autoenrollment of user certificates but I'm concerned about having to manually manage/revoke certificates when users leave the organization.
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 4:25pm

why do you need to revoke certificates?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
May 9th, 2012 4:42pm

Why would I want to keep certificates for users that don't exist?
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 4:50pm

It is useless. Because no one can use it (because user account is either disabled or removed). Also, you will increase CRL size and increase CRL retrieval timeouts and network bandwidth. There are no additional security layers when you revoke user certificate.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
May 9th, 2012 5:08pm

It's worth being clear here. There are no additional security layers assuming: the user account is disabled/remove in AD; and AD is the source of truth for all authentication (not some other system which would require synchronization with AD); andthe certificate is not used for anything other than login. Certificates are more than a convenient (more secure) way to authenticate users. Many organisations use them for far more interesting applications.
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2012 2:06am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics