This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi.
I have newly deployed two-tier PKI.
While installing I've reissued CA-certt few times (both for root CA and subCA).
Now, when I open CA properties I see three root CA (both for root CA and sub CA).
I want to remove unnecessary cert from my PKI. But no matter what I do the certificates are still there.
What was done:
What should I do to eliminate this certs? I've already spent a lot of time on this seemingly simple task.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 75%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
At your point 3 by CACertHash: It is important here not to simply delete the values, but to replace them with a placeholder in the form of a hyphen "-" so that the counter for the certification authority version is retained.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 25%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
THANK YOU!
I will find you, and I will send you something nice.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello Евгений Котляревский,
Thank you for posting in Q&A forum.
If the certificates (root CA certificates and issuing CA certificates) are not expired, you can not delete any of them. If the root certificate or issuing certificates doesn't expire, you delete it, and there will be problems with the entire PKI.
If one or more of them are expired, you can delete the expired certificates.
For the root CA certificate, if it is expired, you can delete the old CA certificate from the Certification Authorities tab.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
In my PKI properties I see three CA-certificates (#0,#1,#2). #0 and #1 still not expired, but there were some inaccuracies during their issuing, so I don't need them anymore. And I believe, this certificates no in use.
Certificates #3 is correct and used in PKI.
So you You say, there is no way I can delete certificates #0 and #1 while they are still valid?
Hello
Good day!
So you You say, there is no way I can delete certificates #0 and #1 while they are still valid?
A: There way to delete certificates #0 and #1 is the method I mentioned above. But based on my knowledge, if certificates #0 and #1 are not expired and you delete them, there will be issue on the PKI.
Best Regards,
Daisy Zhou