compdigit44
asked on
ADCA Windows 2012 R2 and removing old certificates
We have a large internal PKI environment with an offline root and 2 sub CA's which services our 10K users and 15K devices. I use the certutil command every two weeks to remove failed request, revoked certs etc.. but what really needs to be done is clear the DB of all the expired certs. I am nervous about using the certutil command to do this since I do not want to remove a 'valid none expired certificate"
ASKER
The first command does not apply to me since the server do not host Exchange
What I am trying to verify is when running the certutil command for a time period will it delete certs that are both expired and not expired if they fall in the time range?
What I am trying to verify is when running the certutil command for a time period will it delete certs that are both expired and not expired if they fall in the time range?
ASKER
When I check do I certutil -deleterow ? It states the cert syntax will only delete expired certificates. I am taking a backup of my CA and will post how I make out
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Want to post my findings to help others in the future
Get-ExchangeCertificate | fl issuer,IsSelfSigned,NotAft
Have you tried using this command to delete certs?
certutil –deleterow certs <today’s date in mm/dd/yyyy format>
Take a backup before deleting all expired Certs :-)