000027579 - Microsoft Base Smart Card Crypto Provider does not honor the 'Delete revoked or expired certificates (do not archive)' certificate template setting.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027579
Applies ToSID800 Tokens
RSA Smart Card Middleware 3.0.1
RSA SecurID SID800 Authenticator (USB token)
Microsoft Windows XP Professional SP2
Microsoft CA
IssueMicrosoft Base Smart Card Crypto Provider does not honor the "Delete revoked or expired certificates (do not archive)" certificate template setting.
The MS Certificate Auto Renew process does not replace the actual certificate in slot 0 on SID800
Implemented a Microsoft certificate-based authentication system in our Windows environment. Users therefore are required to use the RSA SID800 smartcard (which contains user certificates) for user authentication. During our tests, we discovered a problem with Middleware 3.0.1 and Certificate Auto Renew (autoenroll function, but renewing part). The Certificate Auto Renew process does not replace the actual certificate in slot 0 and this is a problem. The process successfully creates a new certificate and places it at the last slot in the smartcard. It does not delete the old one. Normal Auto Renew behavior should replace the old certificate with the new one in the same slot (which is slot 0 for smartcard logon).
Resolution

This is functioning as design after discussions with Microsoft Support.
Microsoft provided the following response:

* The Microsoft Base Smart Card Crypto Provider does not honor the certificate template setting to remove expired or revoked certificates.

We confirmed that the smart card does not remove or move the expired certificates on the Smart Card.

There are no logical containers (OU's) as such on the smart cards. The certificates resides in the memory chip Just like we have SIM memory in the Mobile Phones.

Microsoft tested this using another smart card and driver and the behavior was the same (i.e. the expired certificates are not removed). Microsoft does not consider this a bug, but rather expected behavior.

NotesSMARTCRD-218
Legacy Article IDa49146

Attachments

    Outcomes