We have a 2 tier PKI environment. Every time i add a server in the domain 2 expired Root certificate appears in the Intermediate CA store of new server.
one is certificate template cross certification authority template and other is Root Certification template which are both expired
We previously have a cross certification to other PKI but its already decommission.
I would like to know how to stop new computers on getting that certificate and is there a way to cleanup the prod server who has that expired certificate?