Certificate remains valid (until expiry specified in certificate) even after user password is changed. Compromise a user who has enrollment rights to an AD CS template that has the Client Authentication EKU enabled, we can request and use a certificate that will be valid until the expiry specified in the template.
Reference Slides
Renew compromised/requested certificates before they expire. Note the Validity Period of a certificate!
Reference Slides