Active Directory Certificate Services - Inventory (Not Trusted Certificate)

Question

Hi MSFT Team,

I am trying to clean up orphaned or not trusted certificate in our Active Directory Domain Server. Is there a way to check which services, device or machine that use that certificate? Is it possible to map the services and client devices that use that certificate before we can delete or clean it up?

Please advise.

Thanks,

GCE

Answer 1

Hi @GCE

You can use a powershell script for cleaup expired and untrsuted certificate , the script below works and you can adjust it to generate a log file to trace cleaup action.

This script can be used , if you have the list of member servers in csv file and run it through scheduled task on a admin server able to communicate with target member machines through WinRM:

$ServerList = Get-Content "c:\temp\serverlist.CSV"

Foreach($Server in $ServerList) {
    Invoke-Command -ComputerName $Server -ScriptBlock {
        # Get Certificate list 
        $Certs = Get-ChildItem "Cert:\LocalMachine\My" -Recurse
        # Get the list of root certificate


$root_cert_list = Get-ChildItem -Path "Cert:\LocalMachine\Root" | select -ExpandProperty Subject
# Loop through each object in $Certs
Foreach($Cert in $Certs) {
    # The property "NotAfter" indicate the expired time , if it's older than the current time, the certificate will be deleted 
    If($Cert.NotAfter -lt (Get-Date)) 
        {
        $Cert | Remove-Item
         }
# Delete untrust certificate : if the certificate issuer is not in the list of root certificate it will be deleted
elseif($root_cert_list -notcontains  $cert.Issuer) 
{
$Cert | Remove-Item
}
}
}
}

Please don't forget to mark helpful answer as accepted

Answer 2

Hello Bourbita,

Do you have best practices and guides on how to enabled it?

Thanks,

GCE