Hi S-1-1-0! Today I would like to talk about one of the most requested case — expired user certificate removal from Active Directory.
By default when user requests an authentication and/or encryption certificate from an Enterprise CA it is published to userCertificate property under user account in Active Directory. Published authentication certificate is used for certificate mapping to a user account (or group) and are used by domain controllers during certificate-based authentication. Encryption certificates can be used to provide an access to certain encrypted content. In the case of secure email, sender retrieves recipient's certificate from Active Directory and uses it for mail message encryption purposes. The same process occurs when a user want to provide an access to encrypted file (EFS) for another user. Retrieved certificate is used to re-encrypt symmetric encryption key material.
The negative side here is that certificates sometime expires. If existing certificate is renewed it is added to the userCertificate attribute and expired certificates are not replaced. Certain applications can filter expired certificates and display/select only valid certificates. However other applications may not. In the large environments expired certificates increases Active Directory replication traffic. As the result certain companies performs sanity certificate cleanup on a regular basis. The question here — how can I do this? Lets explore some background and solutions.
This is how ADSIEdit.msc displays published certificates in userCertificate attribute. Actually they are stored as a DER encoded byte array. It seems that this format isn't user-friendly. Generally the process should be something like this:
In any way good script will be quite complex. Fortunately we have Quest AD PKI Cmdlets. These cmdlets contains several cmdlets to work with digital certificate:
Get-QADUser username | Remove-QADCertificate -Valid:$false
The first command retrieves invalid certificates (Valid = false). The second command removes these certificates from user account properties. Slightly modified script can be used for all users:
Get-QADUser | Remove-QADCertificate -Valid:$false
Pretty easy! As always I would advice to read my whitepaper at: Guide for Using Quest AD-PKI cmdlets
Have a fun with PowerShell and Quest cmdlets!
Post your comment: