Home / server / Questions / 616527
In Process
Tonny
Asked: 2014-07-31 00:03:42 +0800 CST

When is a deleted Windows computer-certificate really gone?

  • 772

We got a strange issue affecting a very small number (1%) of Windows 7 clients in our domain.

These laptops are issued a Computer-certificate (X509) through AD for VPN access. We have a PowerShell script which is run daily on each of these laptops that checks the expiration date on the cert and, if this is less than X days in the future, deletes the cert form the store and calls "gpupdate /force" to re-acquire it with a fresh expiration timer.

(In our case X is larger than the 18 days that AD normally uses for automatic renewal. We have many users that are off-line for more than 18 days at the time so the default 18 days is just to short. The cert must be deleted or else "gpupdate /force" won't do anything.)

In 99% of our computers this works as expected. But we got these few machines where, after the delete of the cert, the cert is NOT automatically re-acquired, unless the computer is rebooted en re-establishes a new computer-session with the domain.
Gpupdate doesn't re-acquire the cert, the normal periodic policy check that Windows does every 90-120 minutes in the background doesn't re-acquire it either.
After a reboot the computer will pick up the new cert immediately from AD.
(Obviously: Users don't do the extra reboot before going on holiday or a lengthy business-trip, so they are in the middle of nowhere and discover their VPN doesn't work because the cert is missing.)

It almost seems as if, after the delete, the cert is kept in a "locked" or "pending" state until the next reboot. The normal update process apparently still "sees" the old cert and has no reason to acquire a new one.

By the way: Delete and subsequent gpupdate is done via this code-snippet in PowerShell.
It looks OK to me and nothing weird appears in the generated logfile.

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine")
$store.Open("ReadWrite")

foreach ($cert in $store.Certificates) 
{
    $subject = $cert.Subject
    send2log "Deleting certificate: $subject"
    if ($cert.Issuer -match "CN=XX-XX-XXX.*") 
    {
        $store.Remove($cert)
    }
}
$store.Close()
$out = & gpupdate.exe /force
send2log "$out"

All this leads me to the question: When is a deleted cert really gone (and can be re-acquired) ?
Or alternatively: What could prevent this re-acquiring of the cert ?

windows-7

0 Answers