This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 9%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EME%3C/text%3E%3C/svg%3E)
Hi Team
Due to some circumstance, my subordinate certificate showing two certificate, Please guide me how to remove manually from the certificate authority.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Mohammad Ehteshamuddin Khan - AC CESS ,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
Hello @Mohammad Ehteshamuddin Khan - AC CESS ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
On the subordinate CA, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA-NAME. Look for cacerthash registry. This will contain the hash of your CA Certificate. Please remove the unwanted hash entry.
Make sure to take a backup of registry before making any change.
Hi Abhijeet
I followed the steps as you elaborated but after delete he hash entry and restarted the services of the certificate authority have got error message and it was not resume until restored the hash key.
Please suggest me how to remove the certificate #0 after impacting the production certificate #1. your suggestion is highly appreciated.
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 24%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELK%3C/text%3E%3C/svg%3E)
Check "CAcertHash" parameter in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration<name of CA>
and delete all needless strtings in "Value data" field. Certificate #0 corresponds with first line, Certificate #1 - whith second, and etc.
!!!Make sure to take a backup of registry before making any change.!!!
Hello @MohammadEhteshamuddinKhanACCESS-3899,
Thank you for posting here.
We can not delete the two certificates if the two certificates are not expired.
If one or more certificates expired, we can delete it.
And the deletion method is as follows:
Open PKIview.msc on Enterprise CA server.
1) Start pkiview.msc.
2) Right-click Enterprise PKI, and then click Manage AD Containers
3) Click the each tab to check this expired certificate and compare the serial number (if the serial number is the certificate that expired and we want to delete, we can delete it).
4) Select the old root CA certificate and then delete it
Tip:
Why there are two certificates (certificate #0 and certificate#1), because we have renewed the subordinate certificate.
Best Regards,
Daisy Zhou
Dear Daisy Zhou
First i would like to thanks for your post.
The way you explained is very impressive. due to some mistake have done in CDP "url" in root CA server. later i have corrected the "url" and use the the *.req file to update the subordinate server. I noticed the Root CA has issued the certificate but while importing the certificate in the Subordinate server, It is not being accepted and pop-up error message as duplicate serial number is in used.
due to this reason i have made another *.req file and followed the steps. Now everything is going well but it was showing two certificate under the certificate authority.
Now i want to clean previous one, please let me know is there any way to do the same.
your suggestion is highly appreciated.
Thanks in advance.
Hello @Mohammad Ehteshamuddin Khan - AC CESS ,
If there is no any relationship between certificate #0 and certificate #1, I mean certificate #1 does not use certificate #0's thumbprint to signature, and no certificates issued by certificate #0 and you must to delete certificate #0, it is the same step.
For example:
Hope the infomration is helpful. If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou