Automatically Remove Expired Short-Lived Certificates on Windows for Teleport Desktop Access

[programmerq]

Expected Behavior

Expired short-lived certificates, generated on each connection through the Teleport Desktop Access feature, should be automatically removed from the Windows user's personal certificate store after they have expired.

Current Behavior

Each time a user connects using Desktop Access (non-AD), a new short-lived certificate is generated and added to the user's personal certificate store. These certificates pile up, as expired certificates are not removed automatically, leading to clutter.

When a user accesses a resource that requests cert auth, they are prompted to choose a cert from this same personal certificate store. This can include the dozens or hundreds of expired Teleport Desktop Access certificates, which is cumbersome.

Bug Details

Teleport Version

Reproduced with:

• Teleport Enterprise 17.1.6 (cluster)
• 16.4.6 (teleport.dll auth package)

Recreation Steps

1. Connect to a Windows machine via Desktop Access (non-AD) multiple times, generating several short-lived certificates.
2. Open the "Manage User Certificates" option from System Settings -> User Accounts -> Manage Your Credentials. You can also run certmgr from a non-administrator PowerShell instance. Look in Certificates - Current User\Personal\Certificates. Note one certificate present for every time this user has authenticated via Teleport.

Debug Logs