Expired logon certificates on smartcards not being deleted



Hello,

I have a problem with expired logon certificates on smartcards not being
deleted. This leads to full smartcards.

In Windows Server 2008 PKI and Certificate Security by Brian Komar, p. 270,
it is stated that on a certificate template the "Delete revoked or expired
certificates" option is critical for conserving space on smartcards. However,
this option is not possible to enable when choosing purpose "Signature and
smart card logon" on the template. Is there another way of automatically
deleting expired certificates on smartcards (without using ILM! Our
organisation is way to small to utilise ILM)?
I have also tried using the "Signature" purpose (which enables the
delete-option), but without any further luck in automatically deletion of
expired certs. This purpose also places the cert inside the AT_SIGNATURE key
container of the smartcard, and this again leads to more trouble when joining
clients to domain because of the default setting of not accepting signature
keys for logon (strange default setting by the way).

Any enlightment on the subject is greatly appreciated!
.



Relevant Pages

  • Delete revoked or expired certificates and smartcards
    ... I have a problem with expired logon certificates on smartcards not being ... This leads to full smartcards. ...
    (microsoft.public.windows.server.general)
  • Re: Smart Card Logon
    ... I posted my previus message because one colleague told me that cached ... logon doesn't work with smartcards.. ... >> Edp Office ...
    (microsoft.public.win2000.security)
  • Re: DCOM & CryptoAPI
    ... Your problem is that you are trying to use "User" certificates in your DCOM ... but only "Machine" certificates could be reliably used by logon as ... Additionally you have to make sure that account that you are using for DCOM ... > decryption based on certificates. ...
    (microsoft.public.platformsdk.security)
  • Re: certificate authentication
    ... Yes you can put two authN certificates on the card. ... you cannot choose from multiple certs for logon. ... Best Practices for implementing Windows Server 2003 PKI: ...
    (microsoft.public.win2000.security)
  • CA Services enrollment agent and templates
    ... In our office we use certificates in smartcards extensively: ... card logon, e-mail and so on. ...
    (microsoft.public.windows.server.security)