YubiKey certificates are displayed as revoked after Appterix enrollment.

When using Appterix to enroll certificates for logging into Microsoft Active Directory using YubiKeys, the following behavior may occur:

Users can only log in temporarily; after that, the certificate is displayed as revoked.

– The Windows certificate viewer displays the message: “This certificate has been revoked by its certification authority.”

Cause

The premature revocation of certificates issued via Appterix enrollment is usually due to an overly generous configuration. Certificate renewal period.

If the renewal period (in days) is too close to the total term of the certificate, Appterix initiates the renewal too early.

ExampleIf the certificate is valid for 365 days and the renewal period is also set to 365 days, the system will attempt to renew the certificate immediately after it is issued, which will result in the blocking of the previous certificate.

Solution

Check and correct the certificate renewal settings in the Appterix administration console:

– Register in the Appterix Management UI

– Navigate to Settings > YubiKey Management.

– Check if the option PKI certificate renewal is activated.

– If active, check the value in the field Renewal period (in days):

guideline: This value must not correspond to the total duration of the certificate.

For example: Does your certificate have a validity period of 365 days, the renewal period should be reduced to a significantly smaller value (e.g. 90 days before expiry).

– Save the changes.