How to remove expired user certificates from Active Directory
Hi S-1-1-0! Today I would like to talk about one of the most requested case — expired user certificate removal from Active Directory.
By default when user requests an authentication and/or encryption certificate from an Enterprise CA it is published to userCertificate property under user account in Active Directory. Published authentication certificate is used for certificate mapping to a user account (or group) and are used by domain controllers during certificate-based authentication. Encryption certificates can be used to provide an access to certain encrypted content. In the case of secure email, sender retrieves recipient's certificate from Active Directory and uses it for mail message encryption purposes. The same process occurs when a user want to provide an access to encrypted file (EFS) for another user. Retrieved certificate is used to re-encrypt symmetric encryption key material.
The negative side here is that certificates sometime expires. If existing certificate is renewed it is added to the userCertificate attribute and expired certificates are not replaced. Certain applications can filter expired certificates and display/select only valid certificates. However other applications may not. In the large environments expired certificates increases Active Directory replication
traffic. As the result certain companies performs sanity certificate cleanup on a regular basis. The question here — how can I do this? Lets explore some background and solutions.
This is how ADSIEdit.msc displays published certificates in userCertificate attribute. Actually they are stored as a DER encoded byte array. It seems that this format isn't user-friendly. Generally the process should be something like this:
- Retrieve user account from AD;
- Extract an array of byte arrays from userCertificate attribute;
- Instantiate a X509Certificate2 object by using X509Certificate2(Byte) constructor;
- Filter all invalid (expired, revoked, untrusted) certificates by using custom filters;
- Write back remaining certificates to the attribute.
In any way good script will be quite complex. Fortunately we have Quest AD PKI Cmdlets. These cmdlets contains several cmdlets to work with digital certificate:
The first command retrieves invalid certificates (Valid = false). The second command removes these certificates from user account properties. Slightly modified script can be used for all users:
Pretty easy! As always I would advice to read my whitepaper at: Guide for Using Quest AD-PKI cmdlets
Have a fun with PowerShell and Quest cmdlets!