Safe to delete expired CA cert?

Question

Hello, I'm cleaning up very old Enterprise CA objects in AD as machines are still getting pushed old certs between 2005 and 2015 from the old decommissioned objects. One of the steps is to delete NtAuth certs by using this command:
certutil -viewdelstore “ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com?cACertificate?base?objectclass=certificationAuthority”
I see this Certificate #0 as shown in the picture below in the list of certs (this is our active CA). It expired on 3/19/2020, so not too long ago. Is it also safe to delete this expired cert by using the certutil command up above?

Source link:
https://social.technet.microsoft.com/Forums/en-US/38457f49-1875-487b-afcf-2e3150e9f1b0/safe-to-delete-expired-ca-cert?forum=winserversecurity

Answer 1

Hi,

Once the certificate expires it is no longer valid. Therefore, once a certificate expires you can safely remove it from the CA database. The one exception to this is if have Key Archival configured on the CA. If you are archiving private keys, you may not want to remove expired CA certificates from the CA database.

Note: Backup the CA including the database and log files prior to deleting any certificates from the database.
For more information ,you can refer to the following link:

https://learn.microsoft.com/en-us/archive/blogs/xdot509/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database

Following script for your reference: https://gallery.technet.microsoft.com/scriptcenter/Script-to-delete-expired-8fcfcf48

Best Regards,