Enable the tool to replace actively-used cert with another issued from the same CA & cert template (pvt key compromise scenario)


User lalkin requests:
"I'd like to be able to use this tool to change the actively used cert but both certs have been issued by the same CA and use the same template."
"I'm working on designing workflow for EFS tasks and one of them is the replacement of a cert in case the private key is compromised. Thus we would be issuing a new cert from the same CA."
And I responded with:
"Based on the scenario you're targeting, would it be fair to assume that the newest certificate from the same CA would be the one you'd like to see in the user's EFS configuration?  If we can make that assumption ("always use the newest qualifying cert"), I should be able to implement an extension to the logic that builds a collection of all qualifying certs, and chooses the one with the furthest-out Expiration Date."


lalkin wrote Dec 4, 2008 at 5:39 PM

If the utility defaulted to the newest certificate that would take care of most situations I've come up with. I'm thinking using the Valid From property might be better than the expiration date. Expiration date would be fine as well, whichever is easier to grab.

wrote Feb 12, 2013 at 8:59 PM