?
Solved

ADCA Windows 2012 R2 and removing old certificates

Posted on 2016-10-20
5
Medium Priority
?
78 Views
Last Modified: 2016-10-27
We have a large internal PKI environment with an offline root and 2 sub CA's which services our 10K users and 15K devices. I use the certutil command every two weeks to remove failed request, revoked certs etc.. but what really needs to be done is clear the DB of all the expired certs. I am nervous about using the certutil command to do this since I do not want to remove a 'valid none expired certificate"
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 8

Expert Comment

by:Leo
ID: 41853244
Run this command on your cert server and see if it helps you

Get-ExchangeCertificate | fl issuer,IsSelfSigned,NotAfter,thumbprint

Have you tried using this command to delete certs?

certutil –deleterow certs <today’s date in mm/dd/yyyy format>

Take a backup before deleting all expired Certs :-)
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41854674
The first command does not apply to me since the server do not host Exchange

What I am trying to verify is when running the certutil command for a time period will it delete certs that are both expired and not expired if they fall in the time range?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41855432
When I check do I certutil -deleterow ? It states the cert syntax will only delete expired certificates. I am taking a backup of my CA and will post how I make out

CertUtil ScreenShot
0
 
LVL 20

Accepted Solution

by:
compdigit44 earned 0 total points
ID: 41855661
So far using the certutil -deletrow <date> Cert command is only removing the expired certifcates as expected. I hope this helps anyone else in the future
0
 
LVL 20

Author Closing Comment

by:compdigit44
ID: 41861866
Want to post my findings to help others in the future
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question