?
Solved

Delete/revoke expired certificates from Local Certificate Authority

Posted on 2009-07-13
14
Medium Priority
?
12,853 Views
Last Modified: 2013-12-04
I have a large number of expired certificates on a local certification authority which also happens to be an exchange server. Primarily these were used for WPA. Most of the users have deleted expired certificates from their local machine.

I know that I can revoke them but do not see an option to delete them. My question is two fold;

Can they be deleted? Also, am I safe in deleting or revoking them?

Attached is a example screen shot
certexpire.png
0
Comment
Question by:BDoellefeld
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 13

Expert Comment

by:lastlostlast
ID: 24844012
Once the certificate has been re-voked, you can delete the certificate. It is safe to remove them and it will not cause any issues with Exchange.
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24844057
http://technet.microsoft.com/en-us/library/cc875810.aspx

Edited by Kieran

Open in new window

0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 1000 total points
ID: 24844346
You can delete the certs from the MMC or cmd line.  I use a script I made to delete them.  Like Exchange, just because you delete rows does not mean the DB space is cleaned up, however.  You can use the same jet compression utility, eseutil, to clean up the CA database.

For the script, run as many times as you need to until each section reports Deleted rows: 0.




@ECHO OFF
@ECHO ............................
@ECHO .                          .
@ECHO . CA Database Cleanup      .
@ECHO .                          .
@ECHO . Version 1.0              .
@ECHO .                          .
@ECHO . Created by Paranormastic .
@ECHO ............................
 
@ECHO Make sure to backup the CA Database prior to running this script.
@ECHO Please enter the date to clean the database up to (MM/DD/YYYY):
SET /P _CleanDate=
 
 
@ECHO Please choose one of the following options.
@ECHO Press 1 for ***SUBCA1***
@ECHO Press 2 for ***SUBCA2***
: Must list these in reverse order when setting environment variable
 
SET /P _CAChoice=
    IF %_CAChoice%==2 SET _UseCA=***SERVER2.DOMAIN.COM\SUBCA2***
    IF %_CAChoice%==1 SET _UseCA=***SERVER2.DOMAIN.COM\SUBCA1***
 
: Note - 'cert' include both expired and revoked certs.
 
@ECHO The following commands may take a couple minutes to time out.
@ECHO If the CA database is larger, you may need to run this a few times.
@ECHO This should clean up a couple thousand entries per line.
 
@ECHO ON
 
Certutil -deleterow -config %_UseCA% %_CleanDate% crl
Certutil -deleterow -config %_UseCA% %_CleanDate% crl
Certutil -deleterow -config %_UseCA% %_CleanDate% request
Certutil -deleterow -config %_UseCA% %_CleanDate% request
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
 
@ECHO OFF
GOTO END
 
:TEST
@echo %_CleanDate% date
@echo %_CAChoice% choice
@echo %_UseCA% ca name
GOTO END
 
:END
@ECHO .............
@ECHO .           .
@ECHO . ALL DONE! .
@ECHO .           .
@ECHO .............
pause

Open in new window

0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 31

Expert Comment

by:Paranormastic
ID: 24844372
After that is done, back up the CA database:
certutil -backupdb

Use the following command to determine the location of the database files for a CA by typing:
 certutil -databaselocations

This can also be checked via GUI by selecting the Properties of the CA_Name via the Certification Authority MMC, and then viewing the Storage tab - it should be a .edb file.

4.      Use the following command for defragmenting the CA database:
Eseutil.exe /d %path_to_CA_DB%\<CA_Name>.edb /t %optional_temp_path%

This can take a few hours to run on larger databases - we compressed a 12gb database down to 4gb on a P3 server in about 5-6 hours, if memory serves.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 24844452
@all
You can delete these? I can't seem to delete anything (while logged in as administrator), there is no delete option. I have not tried the script yet wanted to delete a few manually first.
certexpire2.png
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24849566
Ya got me.  I thought I remembered there being a thing in the GUI.  When I need to clean up the database I need to do about 10-25,000 records at a time so I always use my scripts for almost every administrative task due to the sheer volume that we handle.  Just remember to backup - just like most maintainance tasks it usually works fine but I have heard of it going south once - luckily they did do the backup first, and we were able to work through it.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 25038502
@admin

I'd like to hold the question open a bit longer. I still am at a loss on how to delete a certificate from the CA as the option to delete is not available.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 25038818
It is not possible to delete a certificate via the Certificate Authority window.  You can only revoke the certificate.
If they have expired, then you can safely revoke them.
 
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 500 total points
ID: 25040724
0
 
LVL 37

Expert Comment

by:bbao
ID: 25053885
agree with Subsun. her/his comment should be the answer.
0
 
LVL 9

Author Closing Comment

by:BDoellefeld
ID: 31603025
Thank you for the replies.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 25071526
>> agree with Subsun. her/his comment should be the answer.
I disagree.  Here is why:

Simply put - it does not answer the question.  Mine did.

The batch script I provided is how I do this all the time to clean up tens of thousands of expired certs from our CA database monthly.  The followup posting describes the method to compress the CA database afterwards.

You should not revoke expired certs unless you want to make your CRL unnecessarily large.  That's why they expire - so you don't have to revoke them after their lifespan has run its course.

the two links are:
1. Description of certutil.  Nice, but only so useful.
2. Describes how to remove a cert from the local store, not the CA database.  Asker stated that most users had already removed the stale certs from the local store, so this is not necessary.  Handy stuff, but not what Asker was looking for.

I apologize to BDoellefeld that I've been a bit busy lately so haven't been able to check back as much.  The script I provided will delete the expired certs from the database, it will prompt you for the date to clean up to.  Sometimes it needs to be run more than once if you handle thousands of certs, otherwise once should do it for most people.  Just copy it into notepad and change out the ***variables*** (the %variables% should be left alone as they are part of the actual script)

Note that as with some other databases, like Exchange, deleting the entry does not shrink the size of the file.  So you need to compress it afterwards.  Exchange's eseutil utility works just fine for the CA database - just back up data first as with any database compression it normally works fine but problems can happen.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses
Course of the Month14 days, 8 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question