Solved

Delete/revoke expired certificates from Local Certificate Authority

Posted on 2009-07-13
14
11,198 Views
Last Modified: 2013-12-04
I have a large number of expired certificates on a local certification authority which also happens to be an exchange server. Primarily these were used for WPA. Most of the users have deleted expired certificates from their local machine.

I know that I can revoke them but do not see an option to delete them. My question is two fold;

Can they be deleted? Also, am I safe in deleting or revoking them?

Attached is a example screen shot
certexpire.png
0
Comment
Question by:BDoellefeld
14 Comments
 
LVL 13

Expert Comment

by:lastlostlast
ID: 24844012
Once the certificate has been re-voked, you can delete the certificate. It is safe to remove them and it will not cause any issues with Exchange.
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24844057
http://technet.microsoft.com/en-us/library/cc875810.aspx

Edited by Kieran

Open in new window

0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 250 total points
ID: 24844346
You can delete the certs from the MMC or cmd line.  I use a script I made to delete them.  Like Exchange, just because you delete rows does not mean the DB space is cleaned up, however.  You can use the same jet compression utility, eseutil, to clean up the CA database.

For the script, run as many times as you need to until each section reports Deleted rows: 0.




@ECHO OFF

@ECHO ............................

@ECHO .                          .

@ECHO . CA Database Cleanup      .

@ECHO .                          .

@ECHO . Version 1.0              .

@ECHO .                          .

@ECHO . Created by Paranormastic .

@ECHO ............................
 

@ECHO Make sure to backup the CA Database prior to running this script.

@ECHO Please enter the date to clean the database up to (MM/DD/YYYY):

SET /P _CleanDate=
 
 

@ECHO Please choose one of the following options.

@ECHO Press 1 for ***SUBCA1***

@ECHO Press 2 for ***SUBCA2***

: Must list these in reverse order when setting environment variable
 

SET /P _CAChoice=

    IF %_CAChoice%==2 SET _UseCA=***SERVER2.DOMAIN.COM\SUBCA2***

    IF %_CAChoice%==1 SET _UseCA=***SERVER2.DOMAIN.COM\SUBCA1***
 

: Note - 'cert' include both expired and revoked certs.
 

@ECHO The following commands may take a couple minutes to time out.

@ECHO If the CA database is larger, you may need to run this a few times.

@ECHO This should clean up a couple thousand entries per line.
 

@ECHO ON
 

Certutil -deleterow -config %_UseCA% %_CleanDate% crl

Certutil -deleterow -config %_UseCA% %_CleanDate% crl

Certutil -deleterow -config %_UseCA% %_CleanDate% request

Certutil -deleterow -config %_UseCA% %_CleanDate% request

Certutil -deleterow -config %_UseCA% %_CleanDate% cert

Certutil -deleterow -config %_UseCA% %_CleanDate% cert

Certutil -deleterow -config %_UseCA% %_CleanDate% cert

Certutil -deleterow -config %_UseCA% %_CleanDate% cert

Certutil -deleterow -config %_UseCA% %_CleanDate% cert

Certutil -deleterow -config %_UseCA% %_CleanDate% cert

Certutil -deleterow -config %_UseCA% %_CleanDate% cert
 

@ECHO OFF

GOTO END
 

:TEST

@echo %_CleanDate% date

@echo %_CAChoice% choice

@echo %_UseCA% ca name

GOTO END
 

:END

@ECHO .............

@ECHO .           .

@ECHO . ALL DONE! .

@ECHO .           .

@ECHO .............

pause

Open in new window

0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24844372
After that is done, back up the CA database:
certutil -backupdb

Use the following command to determine the location of the database files for a CA by typing:
 certutil -databaselocations

This can also be checked via GUI by selecting the Properties of the CA_Name via the Certification Authority MMC, and then viewing the Storage tab - it should be a .edb file.

4.      Use the following command for defragmenting the CA database:
Eseutil.exe /d %path_to_CA_DB%\<CA_Name>.edb /t %optional_temp_path%

This can take a few hours to run on larger databases - we compressed a 12gb database down to 4gb on a P3 server in about 5-6 hours, if memory serves.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 24844452
@all
You can delete these? I can't seem to delete anything (while logged in as administrator), there is no delete option. I have not tried the script yet wanted to delete a few manually first.
certexpire2.png
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24849566
Ya got me.  I thought I remembered there being a thing in the GUI.  When I need to clean up the database I need to do about 10-25,000 records at a time so I always use my scripts for almost every administrative task due to the sheer volume that we handle.  Just remember to backup - just like most maintainance tasks it usually works fine but I have heard of it going south once - luckily they did do the backup first, and we were able to work through it.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 9

Author Comment

by:BDoellefeld
ID: 25038502
@admin

I'd like to hold the question open a bit longer. I still am at a loss on how to delete a certificate from the CA as the option to delete is not available.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 125 total points
ID: 25038818
It is not possible to delete a certificate via the Certificate Authority window.  You can only revoke the certificate.
If they have expired, then you can safely revoke them.
 
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 125 total points
ID: 25040724
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 25053885
agree with Subsun. her/his comment should be the answer.
0
 
LVL 9

Author Closing Comment

by:BDoellefeld
ID: 31603025
Thank you for the replies.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 25071526
>> agree with Subsun. her/his comment should be the answer.
I disagree.  Here is why:

Simply put - it does not answer the question.  Mine did.

The batch script I provided is how I do this all the time to clean up tens of thousands of expired certs from our CA database monthly.  The followup posting describes the method to compress the CA database afterwards.

You should not revoke expired certs unless you want to make your CRL unnecessarily large.  That's why they expire - so you don't have to revoke them after their lifespan has run its course.

the two links are:
1. Description of certutil.  Nice, but only so useful.
2. Describes how to remove a cert from the local store, not the CA database.  Asker stated that most users had already removed the stale certs from the local store, so this is not necessary.  Handy stuff, but not what Asker was looking for.

I apologize to BDoellefeld that I've been a bit busy lately so haven't been able to check back as much.  The script I provided will delete the expired certs from the database, it will prompt you for the date to clean up to.  Sometimes it needs to be run more than once if you handle thousands of certs, otherwise once should do it for most people.  Just copy it into notepad and change out the ***variables*** (the %variables% should be left alone as they are part of the actual script)

Note that as with some other databases, like Exchange, deleting the entry does not shrink the size of the file.  So you need to compress it afterwards.  Exchange's eseutil utility works just fine for the CA database - just back up data first as with any database compression it normally works fine but problems can happen.
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now