locked
How to remove expired certificates in the Intermediate Certificate store? RRS feed

  • Question

  • Hello,

    Currently I am seeing expired certificates in our intermediate certificate store. The expired certificates for one of our issuing ca's hangs around for some reason. It is the only one that does this, the store only show the most current certificate instead of including their expired certificates as well. 

    Is there a certain option that is causing this ca to publish new certs instead of overriding the expired ones? How can I clear all the expired certificates for this store?


    Monday, July 20, 2015 7:04 PM

Answers

All replies

  • Why do you want the expired ones removed? They are there so that anything issued by them in the past is still able to be chained and validated properly. 

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    • Proposed as answer by Alex Lv Friday, July 31, 2015 2:38 AM
    • Marked as answer by Alex Lv Friday, July 31, 2015 2:38 AM
    Monday, July 20, 2015 11:28 PM
  • I thought the expired certificates are stored in the ca's property. 

    I guess I need to clarify, the expired certificates I am seeing is in the intermediate certificate store on our servers. It is currently causing some errors in our servers' logs so I  am looking to remove them.

    The strange thing is only this CA is populating the servers' intermediate certificate store with expired certificates while the others are over writing.

    Tuesday, July 21, 2015 2:26 PM
  • Not sure what you mean by "stored in the ca's property".

    What errors are you seeing in your logs? It could be a symptom of a failure in your PKI and just deleting them wont resolve the problem - just temporarily covers up the issue.


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    • Proposed as answer by Alex Lv Friday, July 31, 2015 2:38 AM
    Tuesday, July 21, 2015 2:50 PM
  • Hi Justinian00,

    You can refer the following similar thread:

    Updating Issuing CA certificate - Expired Issuing CA certificate still exists in Intermediate Certificate Authority Certificate list

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/e196c1ef-09ca-4fbb-bd81-c4a2908d81e4/updating-issuing-ca-certificate-expired-issuing-ca-certificate-still-exists-in-intermediate?forum=winserversecurity

    I’m glad to be of help to you!


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    • Proposed as answer by Alex Lv Monday, July 27, 2015 10:10 AM
    • Marked as answer by Alex Lv Friday, July 31, 2015 2:37 AM
    Thursday, July 23, 2015 5:28 AM