compdigit44
asked on
ADCA Windows 2012 R2 and removing old certificates
We have a large internal PKI environment with an offline root and 2 sub CA's which services our 10K users and 15K devices. I use the certutil command every two weeks to remove failed request, revoked certs etc.. but what really needs to be done is clear the DB of all the expired certs. I am nervous about using the certutil command to do this since I do not want to remove a 'valid none expired certificate"
ASKER
The first command does not apply to me since the server do not host Exchange
What I am trying to verify is when running the certutil command for a time period will it delete certs that are both expired and not expired if they fall in the time range?
What I am trying to verify is when running the certutil command for a time period will it delete certs that are both expired and not expired if they fall in the time range?
ASKER
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Want to post my findings to help others in the future
Get-ExchangeCertificate | fl issuer,IsSelfSigned,NotAft
Have you tried using this command to delete certs?
certutil –deleterow certs <today’s date in mm/dd/yyyy format>
Take a backup before deleting all expired Certs :-)