delete or revoke expired certificates in Certification Authority

Emma Yoyo 26 Reputation points
2023-06-27T02:25:38.9533333+00:00

Should I delete or revoke expired certificates in Certification Authority? e.g. EFS certificates.

I found a blog , it says I can delete the expired certificates by using certutil –deleterow. In Certification Authority, I can only revoke the certificates.

The question is delete or revoke, which is better? Thanks.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,776 Reputation points
    2023-06-27T17:19:00.64+00:00

    Hello

    Thank you for your question and reaching out.

    They can still be used to validate anything signed before their expiration if the expired certificates aren't revoked. Otherwise, you can delete them.

    The certificate loses its validity when it expires. Therefore, you can safely remove a certificate from the CA database after it has expired. The only situation where this is not true is when Key Archival is set up on the CA. It's possible that you shouldn't delete expired CA certificates from the CA database if you're archiving private keys.

    Before deleting any certificates from the database, make a backup of the CA, including the database and log files.

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.