[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Delete/revoke expired certificates from Local Certificate Authority

Posted on 2009-07-13
14
Medium Priority
?
13,301 Views
Last Modified: 2013-12-04
I have a large number of expired certificates on a local certification authority which also happens to be an exchange server. Primarily these were used for WPA. Most of the users have deleted expired certificates from their local machine.

I know that I can revoke them but do not see an option to delete them. My question is two fold;

Can they be deleted? Also, am I safe in deleting or revoking them?

Attached is a example screen shot
certexpire.png
0
Comment
Question by:BDoellefeld
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 13

Expert Comment

by:lastlostlast
ID: 24844012
Once the certificate has been re-voked, you can delete the certificate. It is safe to remove them and it will not cause any issues with Exchange.
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24844057
http://technet.microsoft.com/en-us/library/cc875810.aspx

Edited by Kieran

Open in new window

0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 1000 total points
ID: 24844346
You can delete the certs from the MMC or cmd line.  I use a script I made to delete them.  Like Exchange, just because you delete rows does not mean the DB space is cleaned up, however.  You can use the same jet compression utility, eseutil, to clean up the CA database.

For the script, run as many times as you need to until each section reports Deleted rows: 0.




@ECHO OFF
@ECHO ............................
@ECHO .                          .
@ECHO . CA Database Cleanup      .
@ECHO .                          .
@ECHO . Version 1.0              .
@ECHO .                          .
@ECHO . Created by Paranormastic .
@ECHO ............................
 
@ECHO Make sure to backup the CA Database prior to running this script.
@ECHO Please enter the date to clean the database up to (MM/DD/YYYY):
SET /P _CleanDate=
 
 
@ECHO Please choose one of the following options.
@ECHO Press 1 for ***SUBCA1***
@ECHO Press 2 for ***SUBCA2***
: Must list these in reverse order when setting environment variable
 
SET /P _CAChoice=
    IF %_CAChoice%==2 SET _UseCA=***SERVER2.DOMAIN.COM\SUBCA2***
    IF %_CAChoice%==1 SET _UseCA=***SERVER2.DOMAIN.COM\SUBCA1***
 
: Note - 'cert' include both expired and revoked certs.
 
@ECHO The following commands may take a couple minutes to time out.
@ECHO If the CA database is larger, you may need to run this a few times.
@ECHO This should clean up a couple thousand entries per line.
 
@ECHO ON
 
Certutil -deleterow -config %_UseCA% %_CleanDate% crl
Certutil -deleterow -config %_UseCA% %_CleanDate% crl
Certutil -deleterow -config %_UseCA% %_CleanDate% request
Certutil -deleterow -config %_UseCA% %_CleanDate% request
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
Certutil -deleterow -config %_UseCA% %_CleanDate% cert
 
@ECHO OFF
GOTO END
 
:TEST
@echo %_CleanDate% date
@echo %_CAChoice% choice
@echo %_UseCA% ca name
GOTO END
 
:END
@ECHO .............
@ECHO .           .
@ECHO . ALL DONE! .
@ECHO .           .
@ECHO .............
pause

Open in new window

0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 31

Expert Comment

by:Paranormastic
ID: 24844372
After that is done, back up the CA database:
certutil -backupdb

Use the following command to determine the location of the database files for a CA by typing:
 certutil -databaselocations

This can also be checked via GUI by selecting the Properties of the CA_Name via the Certification Authority MMC, and then viewing the Storage tab - it should be a .edb file.

4.      Use the following command for defragmenting the CA database:
Eseutil.exe /d %path_to_CA_DB%\<CA_Name>.edb /t %optional_temp_path%

This can take a few hours to run on larger databases - we compressed a 12gb database down to 4gb on a P3 server in about 5-6 hours, if memory serves.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 24844452
@all
You can delete these? I can't seem to delete anything (while logged in as administrator), there is no delete option. I have not tried the script yet wanted to delete a few manually first.
certexpire2.png
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24849566
Ya got me.  I thought I remembered there being a thing in the GUI.  When I need to clean up the database I need to do about 10-25,000 records at a time so I always use my scripts for almost every administrative task due to the sheer volume that we handle.  Just remember to backup - just like most maintainance tasks it usually works fine but I have heard of it going south once - luckily they did do the backup first, and we were able to work through it.
0
 
LVL 9

Author Comment

by:BDoellefeld
ID: 25038502
@admin

I'd like to hold the question open a bit longer. I still am at a loss on how to delete a certificate from the CA as the option to delete is not available.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 25038818
It is not possible to delete a certificate via the Certificate Authority window.  You can only revoke the certificate.
If they have expired, then you can safely revoke them.
 
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 500 total points
ID: 25040724
0
 
LVL 37

Expert Comment

by:bbao
ID: 25053885
agree with Subsun. her/his comment should be the answer.
0
 
LVL 9

Author Closing Comment

by:BDoellefeld
ID: 31603025
Thank you for the replies.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 25071526
>> agree with Subsun. her/his comment should be the answer.
I disagree.  Here is why:

Simply put - it does not answer the question.  Mine did.

The batch script I provided is how I do this all the time to clean up tens of thousands of expired certs from our CA database monthly.  The followup posting describes the method to compress the CA database afterwards.

You should not revoke expired certs unless you want to make your CRL unnecessarily large.  That's why they expire - so you don't have to revoke them after their lifespan has run its course.

the two links are:
1. Description of certutil.  Nice, but only so useful.
2. Describes how to remove a cert from the local store, not the CA database.  Asker stated that most users had already removed the stale certs from the local store, so this is not necessary.  Handy stuff, but not what Asker was looking for.

I apologize to BDoellefeld that I've been a bit busy lately so haven't been able to check back as much.  The script I provided will delete the expired certs from the database, it will prompt you for the date to clean up to.  Sometimes it needs to be run more than once if you handle thousands of certs, otherwise once should do it for most people.  Just copy it into notepad and change out the ***variables*** (the %variables% should be left alone as they are part of the actual script)

Note that as with some other databases, like Exchange, deleting the entry does not shrink the size of the file.  So you need to compress it afterwards.  Exchange's eseutil utility works just fine for the CA database - just back up data first as with any database compression it normally works fine but problems can happen.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question