"Secardeo certRevoke helps to keep your certificate inventory up-to-date, increase security and minimize PKI costs."

Keep your PKI consistent & secure!

• Make credentials of non-existing AD objects unusable.
• Eliminate threats from unauthorized use of orphaned certificates.
• A valid certificate will assure the existence of its subject.
  

Control frequent object changes.

• Employee fluctuation
• User name changes (after marriage)
• Equipment replacement
• Address changes
• Object deactivation

Digital certificates can be revoked before the end of their lifetime. Then the contained public key will no longer be accepted for encryption or authentication. For this, the certificate is put on a certificate revocation list that is signed by the CA or the returned status of an online responder (OCSP) will be “revoked”. However, common phenomenons like employee fluctuation or equipment replacement lead to situations where hundreds or thousands of valid certificates still exist but the contained subject or object has disappeared. Another typical scenario is that attributes of an AD object change. For example the surname and e-mail address of a user after marriage or computer or server network addresses and names.

Secardeo certRevoke is a Windows service that integrates with Active Directory and monitors the desired AD tree and object types or the members of an AD group for deletions or attribute changes. certRevoke will automatically send a revocation request to the CA that issued a certificate for the detected AD object.

If an Active Directory object is modified or deleted certRevoke sends a revocation request for all its associated certificates to the CA. The object attributes and organizational units which should be monitored can be configured. By this, automatic re-enrollment of certificates will be triggered through group policy, for example in case of name or address changes. certRevoke supports auto-revocation for multiple Windows CAs or certEP instances.