Posts on this page:
Hi S-1-1-0! Today I would like to talk about one of the most requested case — expired user certificate removal from Active Directory.
By default when user requests an authentication and/or encryption certificate from an Enterprise CA it is published to userCertificate property under user account in Active Directory. Published authentication certificate is used for certificate mapping to a user account (or group) and are used by domain controllers during certificate-based authentication. Encryption certificates can be used to provide an access to certain encrypted content. In the case of secure email, sender retrieves recipient's certificate from Active Directory and uses it for mail message encryption purposes. The same process occurs when a user want to provide an access to encrypted file (EFS) for another user. Retrieved certificate is used to re-encrypt symmetric encryption key material.
The negative side here is that certificates sometime expires. If existing certificate is renewed it is added to the userCertificate attribute and expired certificates are not replaced. Certain applications can filter expired certificates and display/select only valid certificates. However other applications may not. In the large environments expired certificates increases Active Directory replication traffic. As the result certain companies performs sanity certificate cleanup on a regular basis. The question here — how can I do this? Lets explore some background and solutions.
Recently someone asked a question about how to remove unused certificate stores. GUI and .NET don't provide this functionality (within X509Store class) and you will have to use other things. New Quest AD PKI cmdlets adds some features for certificate stores:
Get-QADLocalCertificateStore -StoreLocation CurrentUser Get-QADLocalCertificateStore -StoreLocation LocalMachine
these commands can be used to explore available certificate containers in CurrentUser and LocalMachine store location. In addition these commands can be used to retrieve certificates from local stores as shown:
Many systems administrators asks about dealing with CRLs (Certificate Revocation List) in Windows PowerShell. Some time ago the answer was — PowerShell can't natively work with CRLs because there are no any managed API (both in .NET and CryptoAPI COM), so you was unable to wrap these classes/interfaces to PowerShell. Hopefully there are 3rd party library in Mono (open-source .NET reference). However this just adds API and nothing else. For more complete PowerShell solution we need to get a cmdlet form. Fortunately Quest Software was first who developed cmdlets for PKI management. You can download them from the link: http://www.quest.com/powershell/activeroles-server.aspx.
Currently there are cmdlets for client certificate/CRL management only. You may ask: we have great certutil.exe, so why we need to search for native PowerShell solution? Yeah, certutil.exe is great cmd utility, but when we want to automate certain tasks, we will have to parse quite complex certutil output. By using PowerShell we can dramatically simplify this job by working with well-known objects.