|Applies To||SID800 Tokens|
RSA Smart Card Middleware 3.0.1
RSA SecurID SID800 Authenticator (USB token)
Microsoft Windows XP Professional SP2
|Issue||Microsoft Base Smart Card Crypto Provider does not honor the "Delete revoked or expired certificates (do not archive)" certificate template setting.|
The MS Certificate Auto Renew process does not replace the actual certificate in slot 0 on SID800
Implemented a Microsoft certificate-based authentication system in our Windows environment. Users therefore are required to use the RSA SID800 smartcard (which contains user certificates) for user authentication. During our tests, we discovered a problem with Middleware 3.0.1 and Certificate Auto Renew (autoenroll function, but renewing part). The Certificate Auto Renew process does not replace the actual certificate in slot 0 and this is a problem. The process successfully creates a new certificate and places it at the last slot in the smartcard. It does not delete the old one. Normal Auto Renew behavior should replace the old certificate with the new one in the same slot (which is slot 0 for smartcard logon).
This is functioning as design after discussions with Microsoft Support.
* The Microsoft Base Smart Card Crypto Provider does not honor the certificate template setting to remove expired or revoked certificates.
We confirmed that the smart card does not remove or move the expired certificates on the Smart Card.
There are no logical containers (OU's) as such on the smart cards. The certificates resides in the memory chip Just like we have SIM memory in the Mobile Phones.
Microsoft tested this using another smart card and driver and the behavior was the same (i.e. the expired certificates are not removed). Microsoft does not consider this a bug, but rather expected behavior.
|Legacy Article ID||a49146|