Powershell: Revoke a user certificate (template based) from the Issued Certificates on a CA when user is terminated?

When a user is terminated, we run a script to disable their account amongst other things. We have auto-enrolled certificates for users for VPN purposes that uses a User template.

What is the powershell command to revoke a user's certificate from the 'issued certs' on our enterprise CA when they are terminated?

Running Server 2012 R2.
LVL 2
meade470Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
I don't know if there are any CA specific cmdlets in Server 2012, but you can use the existing methods. There are 2 options you can use.

1. Invoke certutil


# Revoke certificate with serial number 6ef5e9aa00000000008f
# on CA with CAName that is hosted on computer named ServerName with
# Superseded reason: Cease of operation
certutil -config ServerName\CAName -revoke 6ef5e9aa00000000008f 5

Open in new window

The revoke codes are listed below.

0: Unspecified
1: Key Compromise
2: CA Compromise
3: Affiliation Changed
4: Superseded
5: Cessation of Operation

2. Use the ICertAdmin2 interface via CertificateAuthority.Admin com object.


# Create COM object
$CertAdmin = New-Object -com CertificateAuthority.Admin

# Revoke certificate with serial number 6ef5e9aa00000000008f
# on CA with CAName that is hosted on computer named ServerName with
# Superseded reason: Cease of operation
# Date to revoke: 0 which means immediately. You can specify a future date
# by converting the date to universal time: (Get-Date).AddDays(1).ToUniversalTime()
$CertAdmin.RevokeCertificate("ServerName\CAName","6ef5e9aa00000000008f",5,0)

Open in new window

The revoke codes are listed below.

0: Reason not specified.
1: Key compromise.
2: CA compromise.
3: Affiliation change.
4: Superseded.
5: Cease of operation.
6: Certificate hold (can also be unrevoked).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.