none
Cleanup Expired CA Certs RRS feed

  • Question

  • I'm working on cleaning our CA's database.  There were a ton of "failed requests" that I cleared out.

    I want to go through our "Issued" certs and remove anything that is expired.

    I'm wondering a few things.

    1.  Is it okay to find the expired certs and revoke them?  I'm wondering why the CA itself doesn't already do that.

    2.  After I revoke them they will go to the "Revoked" list.  After the CRL is published is it okay to clean the "Revoked" list?

     


    David Jenkins
    Monday, November 14, 2011 10:27 PM

Answers

  • There is no need to revoke expired certificates. Remember that revocation is to prevent the use of a certificate *prior* to its expiry date.

    The default behavior of the CA is to remove the certificate from the CRL one publication period after the certificate expires.

    Just a question, why are you cleaning out the database? From a forensics and audit perspective, you are erasing evidence of what has occurred in the past?

    Brian

    Tuesday, November 15, 2011 4:30 AM
  • It would be a bad idea to extend the renewal period to 11 months. What this setting means is that the client's will start to attempt renewal 6 weeks prior to the expiration of the certificate. To do what you want, reduce the setting to 4 weeks, so that renewals would start 4 weeks (1 month) prior to the expiration of the certifciate.

    It sounds like you need to implement credential roaming services (CRS). If people are using multiple computers, they will autoenroll a new certificate at each workstation. When you implement CRS, the certificates and their private keys are stored in AD and downloaded to new workstations *prior* to autoenrollment is kicked off (preventing unnecessary enrollments)

    http://blogs.technet.com/b/askds/archive/2009/01/06/certs-on-wheels-understanding-credential-roaming.aspx

    Brian

    Tuesday, November 15, 2011 3:13 PM
  • You can move the CA database and/or logs to a different drive by using the Certutil command:

    See http://technet.microsoft.com/en-us/library/dd379476(WS.10).aspx

    Thursday, December 15, 2011 1:57 PM

All replies

  • There is no need to revoke expired certificates. Remember that revocation is to prevent the use of a certificate *prior* to its expiry date.

    The default behavior of the CA is to remove the certificate from the CRL one publication period after the certificate expires.

    Just a question, why are you cleaning out the database? From a forensics and audit perspective, you are erasing evidence of what has occurred in the past?

    Brian

    Tuesday, November 15, 2011 4:30 AM
  • I was thinking that by marking the old certs as 'Superseded' that I would be maintaining history.

    Also we're running out of drive space on the CA.  Maybe there is a way to move the DB.

    One of the problems I am having is that we seem to be generating alot of certificates for no reason. 

    We have a VPN certificate that we deploy to all users.  I see so many certificates for the same users over and over again.

    Looking at the template it shows a validiy period of 1 year and a renewal period of 6 weeks.

    I'm not sure why it's setup like that but I'm thinking I should extend the renewal period to maybe 11 months.

    Any thoughts?


    David Jenkins
    Tuesday, November 15, 2011 2:22 PM
  • Okay the 6 weeks is supposed to be before the certificate expires.  But I still don't know why we have so many of the same certs being installed.

    Could it be that users are logging in to other workstations and it's applying a certificate to them?


    David Jenkins
    Tuesday, November 15, 2011 2:25 PM
  • It would be a bad idea to extend the renewal period to 11 months. What this setting means is that the client's will start to attempt renewal 6 weeks prior to the expiration of the certificate. To do what you want, reduce the setting to 4 weeks, so that renewals would start 4 weeks (1 month) prior to the expiration of the certifciate.

    It sounds like you need to implement credential roaming services (CRS). If people are using multiple computers, they will autoenroll a new certificate at each workstation. When you implement CRS, the certificates and their private keys are stored in AD and downloaded to new workstations *prior* to autoenrollment is kicked off (preventing unnecessary enrollments)

    http://blogs.technet.com/b/askds/archive/2009/01/06/certs-on-wheels-understanding-credential-roaming.aspx

    Brian

    Tuesday, November 15, 2011 3:13 PM
  • Thank you.  I think this will help me out alot.
    David Jenkins
    Tuesday, November 15, 2011 4:07 PM
  • You can move the CA database and/or logs to a different drive by using the Certutil command:

    See http://technet.microsoft.com/en-us/library/dd379476(WS.10).aspx

    Thursday, December 15, 2011 1:57 PM