Deleting expired certificates in Trusted Root Certificate Authorities

Rifka Khairani 40 Reputation points
2023-01-24T03:39:24.9966667+00:00

Hi, I have three expired certificates installed in the Trusted Root Certificate Authorities/Certificates:

  • utn-userfirst-object
  • addtrust external ca root
  • quovadis root certification authority

but those three certificates are part of Microsoft Trusted Root Program with NotBefore status (certificate status: [https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). There are no applications that use those certificates.

My question: Are those certificates safe to be deleted?

Thank you

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,366 questions
0 comments No comments
{count} votes

Accepted answer
  1. Thameur-BOURBITA 33,976 Reputation points
    2023-01-24T07:56:29.5233333+00:00

    Hi @Rifka Khairani

    If those expired certificates aren't revoked , they can still be used to validate anything signed before their expiration. If not you can delete them

    Please don't forget to mark helpful answer as accepted

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Jermain Dettons 10 Reputation points
    2023-08-09T10:48:37.89+00:00

    Elaborating the original question

    • WHAT IS THIS CERTIFICATE?
    • IF IT'S REVOKED THEN WHY IS IT IN THE TRUSTED ROOT CERTIFICATION AUTHORITIES?
    • MINE SHOWS THAT IT STILL HAS: TIME STAMPING, CODE SIGNING & SYSTEM FILE ENCRYPTION - PURPOSES

    So yea it sounds like this certificate is still active, SO AGAIN WHAT THE HELL IS IT?

    I think we get that expired certificates are for backwards compatibility, and while everyone seems to say "it can only effect anything before expiration date." Do we know this to be absolutely true?

    This Microsoft forum NEEDS to do a better job of informing the user instead of saying. uhhhh yea don't delete that or follow this link for information. THE URL SAYS "LEARN.MICROSOFT.COM so teach, by informing........

    1. Who it is
    2. what it is
    3. What it does
    4. Where it came from
    5. Whether it's malicious or not
    6. How to verify it is in-fact safe and needed

    THANK YOU!

    2 people found this answer helpful.

  2. Limitless Technology 44,421 Reputation points
    2023-01-25T10:03:46.8566667+00:00

    Hello there,

    Once the certificate expires it is no longer valid. Therefore, once a certificate expires you can safely remove it from the CA database. The one exception to this is if have Key Archival configured on the CA. If you are archiving private keys, you may not want to remove expired CA certificates from the CA database.

    Note: Backup the CA including the database and log files prior to deleting any certificates from the database.

    For more information ,you can refer to the following link:

    https://learn.microsoft.com/en-us/archive/blogs/xdot509/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database

    Following script for your reference: https://gallery.technet.microsoft.com/scriptcenter/Script-to-delete-expired-8fcfcf48

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    1 person found this answer helpful.
    0 comments No comments

  3. Limitless Technology 44,421 Reputation points
    2023-01-25T10:03:34.7866667+00:00

    Hello there,

    Once the certificate expires it is no longer valid. Therefore, once a certificate expires you can safely remove it from the CA database. The one exception to this is if have Key Archival configured on the CA. If you are archiving private keys, you may not want to remove expired CA certificates from the CA database.

    Note: Backup the CA including the database and log files prior to deleting any certificates from the database.

    For more information ,you can refer to the following link:

    https://learn.microsoft.com/en-us/archive/blogs/xdot509/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database

    Following script for your reference: https://gallery.technet.microsoft.com/scriptcenter/Script-to-delete-expired-8fcfcf48

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.