- Article
Question
Monday, December 16, 2019 12:26 PM
Hello
There are lots of domain computer and user certificates in CA console that are expired but they are not moved to revoked folder. why is that?
Also I need an article to describe what happens to create these computer and user certificates automatically and when we need them.
thanks in advance
All replies (4)
Tuesday, December 17, 2019 3:41 AM ✅Answered
Hello,
Thank you for posting in our TechNet forum.
***Q1:*There are lots of domain computer and user certificates in CA console that are expired but they are not moved to revoked folder. why is that?
**A1:**According to my understanding, revocation and expiration are two different states of a certificate.
The revoked certificate does not necessarily expire. The revocation should be revoked for some reason, so that the end user or the device can no longer use the certificate. Only revoked certificates will be moved to revoked certificates folder.
An expired certificate is just unusable. We can renew the certificate before it expires so that we can continue to use the certificate normally. If we don’t need this certificate anymore, we don’t need to renew this certificate before it expires. When the certificate expires, we can delete the expired certificate.
***Q2:**Also I need an article to describe what happens to create these computer and user certificates automatically and when we need them.
*
A2: do we mean whether we want to set up certificate auto enrollment? If so, when our computers and users are too many, we do not want to enroll certificates manually and we want tomanage certificates in batches., then we can set upcertificate auto enrollment through GPO.
For more information about how to set up certificate auto enrollment, we can refer to the article:
**
Set Up Automatic Certificate Enrollment (Autoenroll)
https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll
**
Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, December 16, 2019 5:53 PM
Why they should be revoked? Expired certificates are just expired. Revoked certificates are different. Revocation process is used to explicitly discontinue the trust to a certificate within its validity period. So it is expected behavior.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.
Tuesday, December 17, 2019 12:29 PM
Thank you dear Daisy
your response is exactly my answer and I will mark it as answer, just to avoid creating another post, I have to ask another 2 small question : expired certificates can be used or I have to revoke them? 2- Is it reasonable to delete crl list when it is big? ( according to my understanding if the certificate is revoked then it can not be used so why should I maintain that in the list for long period of time? what is the point? )
Thanks in advance
Wednesday, December 18, 2019 7:42 AM
Hi,
Thank you for your reply.
***Q1: expired certificates can be used or I have to revoke them?
***A1: Expired certificates can not be used by the end entity (such as users or computers).
If the certificates issued by the root CA are expired:
We can deleted these certificates directly from CA and client.
Or we can re-issue these certificates if we still want to use such certificates.**
Q2:Is it reasonable to delete crl list when it is big? ( according to my understanding if the certificate is revoked then it can not be used so why should I maintain that in the list for long period of time? what is the point? )
A2: If the certificate is revoked, it can not be used.
What do we mean crl list? Where is the crl list we mentioned (on the CA or on the Clients) ?
Do we mean the crl list is the crl files in CertEnroll folder as below?**
**
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].