Active Directory Certificate Services - Inventory (Not Trusted Certificate)

Glenn Escarayan 141 Reputation points
2023-01-17T20:21:34.5733333+00:00

Hi MSFT Team,

I am trying to clean up orphaned or not trusted certificate in our Active Directory Domain Server. Is there a way to check which services, device or machine that use that certificate? Is it possible to map the services and client devices that use that certificate before we can delete or clean it up?

Please advise.

Thanks,

GCE

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
{count} votes

2 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 36,266 Reputation points Moderator
    2023-01-31T20:01:22.5833333+00:00

    Hi @GCE

    You can use a powershell script for cleaup expired and untrsuted certificate , the script below works and you can adjust it to generate a log file to trace cleaup action.

    This script can be used , if you have the list of member servers in csv file and run it through scheduled task on a admin server able to communicate with target member machines through WinRM:

    
    
    
    $ServerList = Get-Content "c:\temp\serverlist.CSV"
    
    Foreach($Server in $ServerList) {
        Invoke-Command -ComputerName $Server -ScriptBlock {
            # Get Certificate list 
            $Certs = Get-ChildItem "Cert:\LocalMachine\My" -Recurse
            # Get the list of root certificate
    
    
    $root_cert_list = Get-ChildItem -Path "Cert:\LocalMachine\Root" | select -ExpandProperty Subject
    # Loop through each object in $Certs
    Foreach($Cert in $Certs) {
        # The property "NotAfter" indicate the expired time , if it's older than the current time, the certificate will be deleted 
        If($Cert.NotAfter -lt (Get-Date)) 
            {
            $Cert | Remove-Item
             }
    # Delete untrust certificate : if the certificate issuer is not in the list of root certificate it will be deleted
    elseif($root_cert_list -notcontains  $cert.Issuer) 
    {
    $Cert | Remove-Item
    }
    }
    }
    }
    

    Please don't forget to mark helpful answer as accepted


  2. Glenn Escarayan 141 Reputation points
    2023-02-09T07:03:12.08+00:00

    Hello Bourbita,

    Do you have best practices and guides on how to enabled it?

    Thanks,

    GCE

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.