Delete revoked or expired certificates and smartcards

Discussion in 'Windows Server' started by Egil, Aug 5, 2009.

  1. Egil

    Egil Guest


    I have a problem with expired logon certificates on smartcards not being
    deleted. This leads to full smartcards.

    In Windows Server 2008 PKI and Certificate Security by Brian Komar, p. 270,
    it is stated that on a certificate template the "Delete revoked or expired
    certificates" option is critical for conserving space on smartcards. However,
    this option is not possible to enable when choosing purpose "Signature and
    smart card logon" on the template. Is there another way of automatically
    deleting expired certificates on smartcards (without using ILM! Our
    organisation is way to small to utilise ILM)?
    I have also tried using the "Signature" purpose (which enables the
    delete-option), but without any further luck in automatically deletion of
    expired certs. This purpose also places the cert inside the AT_SIGNATURE key
    container of the smartcard, and this again leads to more trouble when joining
    clients to domain because of the default setting of not accepting signature
    keys for logon (strange default setting by the way).

    Any enlightment on the subject is greatly appreciated!
    Egil, Aug 5, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.