Delete/revoke expired certificates from Local Certificate Authority

I have a large number of expired certificates on a local certification authority which also happens to be an exchange server. Primarily these were used for WPA. Most of the users have deleted expired certificates from their local machine.

I know that I can revoke them but do not see an option to delete them. My question is two fold;

Can they be deleted? Also, am I safe in deleting or revoking them?

Attached is a example screen shot
certexpire.png
LVL 9
BDoellefeldAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lastlostlastCommented:
Once the certificate has been re-voked, you can delete the certificate. It is safe to remove them and it will not cause any issues with Exchange.
0
NpatangCommented:
http://technet.microsoft.com/en-us/library/cc875810.aspx

Edited by Kieran

Open in new window

0
ParanormasticCryptographic EngineerCommented:
You can delete the certs from the MMC or cmd line.  I use a script I made to delete them.  Like Exchange, just because you delete rows does not mean the DB space is cleaned up, however.  You can use the same jet compression utility, eseutil, to clean up the CA database.

For the script, run as many times as you need to until each section reports Deleted rows: 0.




@ECHO OFF
@ECHO ............................
@ECHO .                          .
@ECHO . CA Database Cleanup      .
@ECHO .                          .
@ECHO . Version 1.0              .
@ECHO .                          .
@ECHO . Created by Paranormastic .
@ECHO ............................
 
@ECHO Make sure to backup the CA Database prior to running this script.
@ECHO Please enter the date to clean the database up to (MM/DD/YYYY):
SET /P _CleanDate=
 
 
@ECHO Please choose one of the following options.
@ECHO Press 1 for ***SUBCA1***
@ECHO Press 2 for ***SUBCA2***
: Must list these in reverse order when setting environment variable
 
SET /P _CAChoice=
    IF %_CAChoice%==2 SET _UseCA=***SERVER2.DOMAIN.COM\SUBCA2***
    IF %_CAChoice%==1 SET _UseCA=***SERVER2.DOMAIN.COM\SUBCA1***
 
: Note - 'cert' include both expired and revoked certs.
 
@ECHO The following commands may take a couple minutes to time out.
@ECHO If the CA database is larger, you may need to run this a few times.
@ECHO This should clean up a couple thousand entries per line.
 
@ECHO ON
 
Certutil -deleterow -config %_UseCA% %_CleanDate% crl
Certutil -deleterow -config %_UseCA% %_CleanDate% crl
Certutil -deleterow -config %_UseCA% %_CleanDate% request
Certutil -deleterow -config %_UseCA% %_CleanDate% request
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
 
@ECHO OFF
GOTO END
 
:TEST
@echo %_CleanDate% date
@echo %_CAChoice% choice
@echo %_UseCA% ca name
GOTO END
 
:END
@ECHO .............
@ECHO .           .
@ECHO . ALL DONE! .
@ECHO .           .
@ECHO .............
pause

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

ParanormasticCryptographic EngineerCommented:
After that is done, back up the CA database:
certutil -backupdb

Use the following command to determine the location of the database files for a CA by typing:
 certutil -databaselocations

This can also be checked via GUI by selecting the Properties of the CA_Name via the Certification Authority MMC, and then viewing the Storage tab - it should be a .edb file.

4.      Use the following command for defragmenting the CA database:
Eseutil.exe /d %path_to_CA_DB%\<CA_Name>.edb /t %optional_temp_path%

This can take a few hours to run on larger databases - we compressed a 12gb database down to 4gb on a P3 server in about 5-6 hours, if memory serves.
0
BDoellefeldAuthor Commented:
@all
You can delete these? I can't seem to delete anything (while logged in as administrator), there is no delete option. I have not tried the script yet wanted to delete a few manually first.
certexpire2.png
0
ParanormasticCryptographic EngineerCommented:
Ya got me.  I thought I remembered there being a thing in the GUI.  When I need to clean up the database I need to do about 10-25,000 records at a time so I always use my scripts for almost every administrative task due to the sheer volume that we handle.  Just remember to backup - just like most maintainance tasks it usually works fine but I have heard of it going south once - luckily they did do the backup first, and we were able to work through it.
0
BDoellefeldAuthor Commented:
@admin

I'd like to hold the question open a bit longer. I still am at a loss on how to delete a certificate from the CA as the option to delete is not available.
0
Alan HardistyCo-OwnerCommented:
It is not possible to delete a certificate via the Certificate Authority window.  You can only revoke the certificate.
If they have expired, then you can safely revoke them.
 
0
SubsunCommented:
0
bbaoIT ConsultantCommented:
agree with Subsun. her/his comment should be the answer.
0
BDoellefeldAuthor Commented:
Thank you for the replies.
0
ParanormasticCryptographic EngineerCommented:
>> agree with Subsun. her/his comment should be the answer.
I disagree.  Here is why:

Simply put - it does not answer the question.  Mine did.

The batch script I provided is how I do this all the time to clean up tens of thousands of expired certs from our CA database monthly.  The followup posting describes the method to compress the CA database afterwards.

You should not revoke expired certs unless you want to make your CRL unnecessarily large.  That's why they expire - so you don't have to revoke them after their lifespan has run its course.

the two links are:
1. Description of certutil.  Nice, but only so useful.
2. Describes how to remove a cert from the local store, not the CA database.  Asker stated that most users had already removed the stale certs from the local store, so this is not necessary.  Handy stuff, but not what Asker was looking for.

I apologize to BDoellefeld that I've been a bit busy lately so haven't been able to check back as much.  The script I provided will delete the expired certs from the database, it will prompt you for the date to clean up to.  Sometimes it needs to be run more than once if you handle thousands of certs, otherwise once should do it for most people.  Just copy it into notepad and change out the ***variables*** (the %variables% should be left alone as they are part of the actual script)

Note that as with some other databases, like Exchange, deleting the entry does not shrink the size of the file.  So you need to compress it afterwards.  Exchange's eseutil utility works just fine for the CA database - just back up data first as with any database compression it normally works fine but problems can happen.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.