Microsoft Base Smart Card Crypto Provider does not honor the 'Delete revoked or expired certificates (do not archive)' certificate template setting.
Originally Published: 2009-12-24
Article Number
Applies To
RSA Smart Card Middleware 3.0.1
RSA SecurID SID800 Authenticator (USB token)
Microsoft Windows XP Professional SP2
Microsoft CA
Issue
The MS Certificate Auto Renew process does not replace the actual certificate in slot 0 on SID800
Implemented a Microsoft certificate-based authentication system in our Windows environment. Users therefore are required to use the RSA SID800 smartcard (which contains user certificates) for user authentication. During our tests, we discovered a problem with Middleware 3.0.1 and Certificate Auto Renew (autoenroll function, but renewing part). The Certificate Auto Renew process does not replace the actual certificate in slot 0 and this is a problem. The process successfully creates a new certificate and places it at the last slot in the smartcard. It does not delete the old one. Normal Auto Renew behavior should replace the old certificate with the new one in the same slot (which is slot 0 for smartcard logon).
Resolution
This is functioning as design after discussions with Microsoft Support.
Microsoft provided the following response:
* The Microsoft Base Smart Card Crypto Provider does not honor the certificate template setting to remove expired or revoked certificates.
We confirmed that the smart card does not remove or move the expired certificates on the Smart Card.
There are no logical containers (OU's) as such on the smart cards. The certificates resides in the memory chip Just like we have SIM memory in the Mobile Phones.
Microsoft tested this using another smart card and driver and the behavior was the same (i.e. the expired certificates are not removed). Microsoft does not consider this a bug, but rather expected behavior.
Notes
Related Articles
Storing a certificate for smart card logon on an RSA SecurID SID800 token using RSA Authentication Client 3.6 Number of Views How to disable smart card credential provider on Windows 2012? Number of Views Delete unwanted Certificate Signing Requests (CSR) from the RSA Authentication Manager Operations Console Certificate Mana… Number of Views How to delete old or pending certificate signing requests for RSA Authentication Manager console or virtual host replaceme… Number of Views How to replace the RSA Authentication Manager self signed console certificate with a signed certificate from Microsoft Act… Number of Views
Trending Articles
Connection fails to Cloud Authentication Service when connecting through a proxy server from RSA Authentication Manager to… Downloading RSA Authentication Manager license files or RSA Software token seed records Unable to login to RSA Authentication Manager Security Console as super admin RSA Authentication Manager 8.9 Release Notes (January 2026) How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device
Don't see what you're looking for?
