The current procedure for updating expired certificates is to terminate the Yubikey (which revokes the certificate) and enroll it again. This has 2 issues:
Best practice is to keep the revocation list on a CA as small as possible. We are putting expired/soon to expire smart cards on the revocation list.
The Yubikey gets reset (terminated) and the user has to re-enter the PIN code.
Clockscrew considerations
To prevent clockscrew issues and faulty clock implementations, we could implement a threshold of about 24 hours. Is the certificate expired more than 24 hours ago, we simply delete it from the smart card without revocation. This could be configurable.
Soon to expire certificates should be revoked, as they are technically valid, even for a short amount of time.
Key renewal discussion
The key renewal strategy depends on a couple of factors:
The length of time the certificate has been valid
The length of the key
The possibility that the key was obtained by a malicious user
The usage of the key (authentication only, signing and/or encryption)
It should be configurable to renew keys or reuse keys
*User's PIN
After termination, the user has to enter his old PIN or get assigned a new one. This depends on the PIN strategy used by the company. It could be prudent to apply the old PIN automatically to the smart card when we just renew the certificate.
This should be configurable.
Documentation considerations
We should perhaps keep track of statistics. How many smart cards have been issued? how many have been revoked? how many are expired? how many can be cleaned up?
Document how to prune Microsoft CA for expired certificates.
To encourage high security, we could show a security indicator (high/degraded) in the settings window
The current procedure for updating expired certificates is to terminate the Yubikey (which revokes the certificate) and enroll it again. This has 2 issues:
Clockscrew considerations
Key renewal discussion
*User's PIN
Documentation considerations