ProtectKeysWithCertificate: How to handle certificate rollover or revocation?

[urbanhusky]

When using ProtectKeysWithCertificate(X509Certificate2), how can certificate rollover be handled?
Also, more generally, how is certificate revocation handled?

[blowdart]

When you switch to the new certificate just leave the old one in the cert store. Even expired certs can be used for decryption, it's just they can't be used to encrypt new material.

Certificate revocation of a protection certificate however, yea, if the cert is revoked, that's it, you get nothing. That's kind of what revocation does :)