• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 99
  • Last Modified:

ADCA Windows 2012 R2 and removing old certificates

We have a large internal PKI environment with an offline root and 2 sub CA's which services our 10K users and 15K devices. I use the certutil command every two weeks to remove failed request, revoked certs etc.. but what really needs to be done is clear the DB of all the expired certs. I am nervous about using the certutil command to do this since I do not want to remove a 'valid none expired certificate"
0
compdigit44
Asked:
compdigit44
  • 4
1 Solution
 
LeoCommented:
Run this command on your cert server and see if it helps you

Get-ExchangeCertificate | fl issuer,IsSelfSigned,NotAfter,thumbprint

Have you tried using this command to delete certs?

certutil –deleterow certs <today’s date in mm/dd/yyyy format>

Take a backup before deleting all expired Certs :-)
0
 
compdigit44Author Commented:
The first command does not apply to me since the server do not host Exchange

What I am trying to verify is when running the certutil command for a time period will it delete certs that are both expired and not expired if they fall in the time range?
0
 
compdigit44Author Commented:
When I check do I certutil -deleterow ? It states the cert syntax will only delete expired certificates. I am taking a backup of my CA and will post how I make out

CertUtil ScreenShot
0
 
compdigit44Author Commented:
So far using the certutil -deletrow <date> Cert command is only removing the expired certifcates as expected. I hope this helps anyone else in the future
0
 
compdigit44Author Commented:
Want to post my findings to help others in the future
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now