Hello!
I have a certificate revocation issue that I'm hoping to find some information on.
The backstory: I had a machine signing certificate template that issued certificates to 500+ computers in my environment. This template was only intended for a much smaller subset of computers, and we have since revoked all of the incorrectly issued certificates. So far as I can tell, we have our default domain GPO set to automatically delete revoked certificates, but this does not seem to be happening.
On the client machine, can check the validity of the certificate via certutil, which confirms that the issued certificate is revoked.
My guess as to why the revoked certificates aren't deleted is that the template on the CA was originally set to have a purpose of "Signature and Encryption" which does not allow the "Delete revoked or expired certificates" option to be selected. I have since changed the purpose to "Signature" only and selected the "Delete revoked..." box, but it has not made a difference.
Any thoughts on how I can get rid of the revoked certificates from my 500+ clients? If there's a way for certutil to search a machine's certificate store and delete any certificates issued from a specific template, I can deploy that via GPO. Even better would be a way to force revoked certificates to be deleted.
Thanks for any help!
Tim
I have a certificate revocation issue that I'm hoping to find some information on.
The backstory: I had a machine signing certificate template that issued certificates to 500+ computers in my environment. This template was only intended for a much smaller subset of computers, and we have since revoked all of the incorrectly issued certificates. So far as I can tell, we have our default domain GPO set to automatically delete revoked certificates, but this does not seem to be happening.
On the client machine, can check the validity of the certificate via certutil, which confirms that the issued certificate is revoked.
My guess as to why the revoked certificates aren't deleted is that the template on the CA was originally set to have a purpose of "Signature and Encryption" which does not allow the "Delete revoked or expired certificates" option to be selected. I have since changed the purpose to "Signature" only and selected the "Delete revoked..." box, but it has not made a difference.
Any thoughts on how I can get rid of the revoked certificates from my 500+ clients? If there's a way for certutil to search a machine's certificate store and delete any certificates issued from a specific template, I can deploy that via GPO. Even better would be a way to force revoked certificates to be deleted.
Thanks for any help!
Tim