none
What do you do with expired certificates.

    Question

  • After a couple of years I looked over our issuing Certificate Authorities and noticed a bunch of expired certificates in the Issued Certificates folder.  So what should we do with them?  Do we just ignore them?  I prefer to clean things up, so I revoked a few as "Cease of Operation" that were issued to our old Exchange servers which were decommissioned.  That moved them from the Issued Certificates folder to the Revoked Certificates folder.  How do you handle your expired certs?
    Tuesday, January 12, 2010 11:16 PM

Answers

  • Just leave them.
    1) They were still issued
    2) If you need to recover private keys, they need to exist in the CA database to allow recovery
    3) Any customers I have seen that have attempted to start deleting rows from the CA database and running Jet DB utilities against it, end up with corrupted CA databases.
    Brian
    Wednesday, January 13, 2010 12:59 AM

All replies

  • Just leave them.
    1) They were still issued
    2) If you need to recover private keys, they need to exist in the CA database to allow recovery
    3) Any customers I have seen that have attempted to start deleting rows from the CA database and running Jet DB utilities against it, end up with corrupted CA databases.
    Brian
    Wednesday, January 13, 2010 12:59 AM
  • Adding to my answer, revoking an expired certificate is a complete waste of time.
    1) The certificate is expired, so no need to check revocation, as it is not time valid.
    2) It goes into the CRL, but then is expunged, because the default behavior is to only have time valid certs on the CRL. And if you do a registry hack to include expired certificates, now you have CRL size bloat

    brian
    Wednesday, January 13, 2010 1:01 AM
  • Thank you Brian, I type this with your 2008 PKI book in my lap, LOL, is the information you provided on this forum in your book somewhere?  I was unable to find Certificate Expiration in the Index, seems such a fundamental topic, would be worth to ad a blurb at least as you stated above.
    Wednesday, January 13, 2010 4:48 PM
  • This is the current supplement to the book (my answers)
    <G>
    Brian
    Wednesday, January 13, 2010 8:18 PM