This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi there! I'm having a rather weird issue in our Certificate Authority environment in that when I revoke a user cert, the client never becomes aware to the fact, and never shows as revoked client-side. Computer based certificates DO however get actioned and removed per GPO. The only difference is that we have no GPO setting to remove revoked certs in place for users but we do for domain joined devices. That does not seem to me that it would disable the check as that is a fundamental part of a CA.
Unfortunately I need a user cert to be revokable as mgmt wants our VPN to be modified to be cert-based. Any ideas of what might be going wrong? To my understanding, as the CRL is working for the one, it should be working for the other.
What is your problem? What you are trying to solve?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Good day!
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
Hello @Anonymous ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
Hello @Anonymous ,
Thank you for posting here.
Based on the description above, I did a test in my lab.
1.When I configured the following GPO settings for domain users, and after I revoked user certificates, it will remove the revoked user certificates automatically.
Automatic certificate management => Enabled
Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates => Enabled
Update and manage certificates that use certificate templates from Active Directory =>Enabled
2.But when I do not configure the GPO settings above for domain users, and after I revoked user certificate, then the revoked certificate is still in user personal store and the certificate is OK after I view the certificate status on certificate path.
3.However, when I verify by running command certutil -verify certificatefile, the certificate shows it is revoked.
So you can check the certificate status you mentioned and if it is actually revoked, these certificates should be not used any more.
If you want to delete the revoked user certificates without user GPO settings, we can remove them manually.
If I misunderstood you, please correct me.
Best Regards,
Daisy Zhou