none
Lots of expired certificates on my HyperV server RRS feed

  • Question

  • I've been having all sorts of issues with ADCS not starting and in the process of trying to figure out why (I still haven't...) I noticed that in the Certification Authority there are a ton of expired certificates going back a few years. See the picture below.

    (a) why are they there?

    (b) should I delete them?

    (c) is there anything I should do to stop them re-appearing, ie. do I need to generate one new certificate that has a "sensible" expiration date?

    Thanks in advance for your help.

    

    Sunday, October 14, 2018 7:51 AM

All replies

  • This won't affect the CA (unless the database is extraordinarily big - you can check that size. The certs are usually 2-3KB each - Therefore a million certs would equal probably less than 3GB in size, small by today's standards)

    But it's usually a good idea to schedule deletes of unnecessary objects in the CA database. The most obvious action would be to remove the expired certificates. But before starting, be sure you have a backup copy for your regular auditing. 

    The CA stores all issued certs here that it has issued. Other Issuing CAs will have their own db of certs issued, crls, failed requests and pending requests. It's a good idea to review these from time to time as, say, a kerberos error could be causing a quickly increasing number of failed requests that you are not aware of.

    Don't remove certificates that are valid.

    As for "c" above, the answer is no. And as for "one new certificate", etc., just have good templates based on good planing, design and documentation of your PKI, and in this case, Certificate Template Design.

    As for ADCS not starting, it looks like it's started if you're seeing the Issued Certificates panel on the CA.

    Open a command prompt on the Issuing CA and enter certutil -deleterow /?

    Use the examples to do remove expired certificates prior to 3 months ago for instance:


    Hope this helps,

    Bill


    • Edited by Bill Stites Wednesday, October 17, 2018 4:25 AM
    Wednesday, October 17, 2018 4:25 AM
  • Excellent, thank you. Now I need to figure out why ADCS isn't starting - you're right that it must have started at some point but on all three of my DCs it shows up as red in server manager and the service itself is stopped.
    Wednesday, October 17, 2018 5:52 AM