Solved

Delete/revoke expired certificates from Local Certificate Authority

Posted on 2009-07-13
14
12,061 Views
Last Modified: 2013-12-04
I have a large number of expired certificates on a local certification authority which also happens to be an exchange server. Primarily these were used for WPA. Most of the users have deleted expired certificates from their local machine.

I know that I can revoke them but do not see an option to delete them. My question is two fold;

Can they be deleted? Also, am I safe in deleting or revoking them?

Attached is a example screen shot
certexpire.png
0
Comment
Question by:BDoellefeld
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 13

Expert Comment

by:lastlostlast
ID: 24844012
Once the certificate has been re-voked, you can delete the certificate. It is safe to remove them and it will not cause any issues with Exchange.
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24844057
http://technet.microsoft.com/en-us/library/cc875810.aspx

Edited by Kieran

Open in new window

0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 250 total points
ID: 24844346
You can delete the certs from the MMC or cmd line.  I use a script I made to delete them.  Like Exchange, just because you delete rows does not mean the DB space is cleaned up, however.  You can use the same jet compression utility, eseutil, to clean up the CA database.

For the script, run as many times as you need to until each section reports Deleted rows: 0.




@ECHO OFF
@ECHO ............................
@ECHO .                          .
@ECHO . CA Database Cleanup      .
@ECHO .                          .
@ECHO . Version 1.0              .
@ECHO .                          .
@ECHO . Created by Paranormastic .
@ECHO ............................
 
@ECHO Make sure to backup the CA Database prior to running this script.
@ECHO Please enter the date to clean the database up to (MM/DD/YYYY):
SET /P _CleanDate=
 
 
@ECHO Please choose one of the following options.
@ECHO Press 1 for ***SUBCA1***
@ECHO Press 2 for ***SUBCA2***
: Must list these in reverse order when setting environment variable
 
SET /P _CAChoice=
    IF %_CAChoice%==2 SET _UseCA=***SERVER2.DOMAIN.COM\SUBCA2***
    IF %_CAChoice%==1 SET _UseCA=***SERVER2.DOMAIN.COM\SUBCA1***
 
: Note - 'cert' include both expired and revoked certs.
 
@ECHO The following commands may take a couple minutes to time out.
@ECHO If the CA database is larger, you may need to run this a few times.
@ECHO This should clean up a couple thousand entries per line.
 
@ECHO ON
 
Certutil -deleterow -config %_UseCA% %_CleanDate% crl
Certutil -deleterow -config %_UseCA% %_CleanDate% crl
Certutil -deleterow -config %_UseCA% %_CleanDate% request
Certutil -deleterow -config %_UseCA% %_CleanDate% request
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
 
@ECHO OFF
GOTO END
 
:TEST
@echo %_CleanDate% date
@echo %_CAChoice% choice
@echo %_UseCA% ca name
GOTO END
 
:END
@ECHO .............
@ECHO .           .
@ECHO . ALL DONE! .
@ECHO .           .
@ECHO .............
pause

Open in new window

0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 31

Expert Comment

by:Paranormastic
ID: 24844372
After that is done, back up the CA database:
certutil -backupdb

Use the following command to determine the location of the database files for a CA by typing:
 certutil -databaselocations

This can also be checked via GUI by selecting the Properties of the CA_Name via the Certification Authority MMC, and then viewing the Storage tab - it should be a .edb file.

4.      Use the following command for defragmenting the CA database:
Eseutil.exe /d %path_to_CA_DB%\<CA_Name>.edb /t %optional_temp_path%

This can take a few hours to run on larger databases - we compressed a 12gb database down to 4gb on a P3 server in about 5-6 hours, if memory serves.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 24844452
@all
You can delete these? I can't seem to delete anything (while logged in as administrator), there is no delete option. I have not tried the script yet wanted to delete a few manually first.
certexpire2.png
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24849566
Ya got me.  I thought I remembered there being a thing in the GUI.  When I need to clean up the database I need to do about 10-25,000 records at a time so I always use my scripts for almost every administrative task due to the sheer volume that we handle.  Just remember to backup - just like most maintainance tasks it usually works fine but I have heard of it going south once - luckily they did do the backup first, and we were able to work through it.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 25038502
@admin

I'd like to hold the question open a bit longer. I still am at a loss on how to delete a certificate from the CA as the option to delete is not available.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 125 total points
ID: 25038818
It is not possible to delete a certificate via the Certificate Authority window.  You can only revoke the certificate.
If they have expired, then you can safely revoke them.
 
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 125 total points
ID: 25040724
0
 
LVL 37

Expert Comment

by:bbao
ID: 25053885
agree with Subsun. her/his comment should be the answer.
0
 
LVL 9

Author Closing Comment

by:BDoellefeld
ID: 31603025
Thank you for the replies.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 25071526
>> agree with Subsun. her/his comment should be the answer.
I disagree.  Here is why:

Simply put - it does not answer the question.  Mine did.

The batch script I provided is how I do this all the time to clean up tens of thousands of expired certs from our CA database monthly.  The followup posting describes the method to compress the CA database afterwards.

You should not revoke expired certs unless you want to make your CRL unnecessarily large.  That's why they expire - so you don't have to revoke them after their lifespan has run its course.

the two links are:
1. Description of certutil.  Nice, but only so useful.
2. Describes how to remove a cert from the local store, not the CA database.  Asker stated that most users had already removed the stale certs from the local store, so this is not necessary.  Handy stuff, but not what Asker was looking for.

I apologize to BDoellefeld that I've been a bit busy lately so haven't been able to check back as much.  The script I provided will delete the expired certs from the database, it will prompt you for the date to clean up to.  Sometimes it needs to be run more than once if you handle thousands of certs, otherwise once should do it for most people.  Just copy it into notepad and change out the ***variables*** (the %variables% should be left alone as they are part of the actual script)

Note that as with some other databases, like Exchange, deleting the entry does not shrink the size of the file.  So you need to compress it afterwards.  Exchange's eseutil utility works just fine for the CA database - just back up data first as with any database compression it normally works fine but problems can happen.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question