Hi S-1-1-0! Today I would like to talk about one of the most requested case — expired user certificate removal from Active Directory.

By default when user requests an authentication and/or encryption certificate from an Enterprise CA it is published to userCertificate property under user account in Active Directory. Published authentication certificate is used for certificate mapping to a user account (or group) and are used by domain controllers during certificate-based authentication. Encryption certificates can be used to provide an access to certain encrypted content. In the case of secure email, sender retrieves recipient's certificate from Active Directory and uses it for mail message encryption purposes. The same process occurs when a user want to provide an access to encrypted file (EFS) for another user. Retrieved certificate is used to re-encrypt symmetric encryption key material.

The negative side here is that certificates sometime expires. If existing certificate is renewed it is added to the userCertificate attribute and expired certificates are not replaced. Certain applications can filter expired certificates and display/select only valid certificates. However other applications may not. In the large environments expired certificates increases Active Directory replication traffic. As the result certain companies performs sanity certificate cleanup on a regular basis. The question here — how can I do this? Lets explore some background and solutions.

image

This is how ADSIEdit.msc displays published certificates in userCertificate attribute. Actually they are stored as a DER encoded byte array. It seems that this format isn't user-friendly. Generally the process should be something like this:

  • Retrieve user account from AD;
  • Extract an array of byte arrays from userCertificate attribute;
  • Instantiate a X509Certificate2 object by using X509Certificate2(Byte[]) constructor;
  • Filter all invalid (expired, revoked, untrusted) certificates by using custom filters;
  • Write back remaining certificates to the attribute.

    In any way good script will be quite complex. Fortunately we have Quest AD PKI Cmdlets. These cmdlets contains several cmdlets to work with digital certificate:

    Get-QADUser username | Remove-QADCertificate -Valid:$false

    The first command retrieves invalid certificates (Valid = false). The second command removes these certificates from user account properties. Slightly modified script can be used for all users:

    Get-QADUser | Remove-QADCertificate -Valid:$false

    Pretty easy! As always I would advice to read my whitepaper at: Guide for Using Quest AD-PKI cmdlets

    Have a fun with PowerShell and Quest cmdlets!


Share this article:

Comments:

Bill

Hello Vadims,

Great work sa s always. I enjoy your commentary in the forums on OKI. Do you have some samples of PS scripts (3.0, 4.0) to remove certificates from the User account properties?

Thanks,

Bill Stites

Vadims Podāns

Do you mean with built-in ActiveDirectory module? Not yet...

Michael

Great, just used this to figure out how to remove irrelevant certificates. Example:

$Computer = Get-QADComputer someComputerName; $Computer | Get-QADCertificate | Where-Object { $_.ThumbPrint -eq "1A983D2FA596A00F059DC65B12F45CF4C7748BE7" }  | ForEach-Object { $Computer | Remove-QADCertificate -Thumbprint $_.ThumbPrint }

Btw. The Quest links are broken.

Thanks

Michael

Vadims Podāns

> Btw. The Quest links are broken.

Yeah, this blog post is 9 years old and Quest Software (original developer of Quest cmdlets) was sold multiple times (to Dell, One Identity), so I have no idea if QAD cmdlets still exist in the world.

Brett McClellan

Do you now how i could delete all certificates published to AD from a specific Template?  I don't wnat to delete all the certificates published in AD USer accounts, just certificates that were created with a specific CA Template.

 

Thanks!

Vadims Podāns

You need to do some scripting for that. I would recommend to ask your question on scripting forums, for example, TechNet: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG


Post your comment:

Please, solve this little equation and enter result below. Captcha