![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 4%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEY%3C/text%3E%3C/svg%3E)
7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello
Thank you for your question and reaching out.
They can still be used to validate anything signed before their expiration if the expired certificates aren't revoked. Otherwise, you can delete them.
The certificate loses its validity when it expires. Therefore, you can safely remove a certificate from the CA database after it has expired. The only situation where this is not true is when Key Archival is set up on the CA. It's possible that you shouldn't delete expired CA certificates from the CA database if you're archiving private keys.
Before deleting any certificates from the database, make a backup of the CA, including the database and log files.
--If the reply is helpful, please Upvote and Accept as answer--