question

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT asked ·

Safe to delete expired CA cert?

Hello, I'm cleaning up very old Enterprise CA objects in AD as machines are still getting pushed old certs between 2005 and 2015 from the old decommissioned objects. One of the steps is to delete NtAuth certs by using this command:
certutil -viewdelstore “ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com?cACertificate?base?objectclass=certificationAuthority”
I see this Certificate #0 as shown in the picture below in the list of certs (this is our active CA). It expired on 3/19/2020, so not too long ago. Is it also safe to delete this expired cert by using the certutil command up above?
12395-upd1.png




Source link:
https://social.technet.microsoft.com/Forums/en-US/38457f49-1875-487b-afcf-2e3150e9f1b0/safe-to-delete-expired-ca-cert?forum=winserversecurity

windows-server-security
upd1.png (104.1 KiB)
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered ·

Hi,

Once the certificate expires it is no longer valid. Therefore, once a certificate expires you can safely remove it from the CA database. The one exception to this is if have Key Archival configured on the CA. If you are archiving private keys, you may not want to remove expired CA certificates from the CA database.

Note: Backup the CA including the database and log files prior to deleting any certificates from the database.
For more information ,you can refer to the following link:

https://docs.microsoft.com/en-us/archive/blogs/xdot509/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database

Following script for your reference: https://gallery.technet.microsoft.com/scriptcenter/Script-to-delete-expired-8fcfcf48

Best Regards,

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.