Certification Authority - CA - Windows Server 2022

BRUNO AUGUSTO LOBO SOARES 0 Reputation points
2025-04-01T11:46:30.55+00:00

I recently created a new certificate authority and removed the old ones. There are 3 Active Directory servers on the network, and on one of them, an expired certificate is still appearing. The certificate does not seem to point to any server. I’ve already attempted to remove old references using ADSI Edit, but without success. I even demoted and re-promoted the server to the domain, but the issue persists. At this point, I’m unsure where else to look for this old certificate reference. Could someone assist me? Below is an example for reference: 10.10.10.10

Not Before: Mar 10 13:28:14 2022 GMT

Not After : Mar 10 13:38:14 2024 GMT

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

URI:ldap:///CN=teste-01-CA,CN=ff-01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=teste,DC=corp?certificateRevocationList?base?objectClass=cRLDistributionPoint

CA Issuers - URI:ldap:///CN=teste-01-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=teste,DC=corp?cACertificate?base?objectClass=certificationAuthority

Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2025-04-02T07:04:33.8666667+00:00

    Hello

    Thank you for posting in Q&A forum.

    Where do you see the expired certificate? CA Properties as below:

    Machine generated alternative text:orpBDCCA Properties Extensions Enrollment Agents General Storage Auditing Certificate Managers Recovery Agents Security Poiicy Module Exit Module Certification authority (CA) Name: CA certificates: corpBDCC4 Certificate ex ired Certificate WI View Certificate Cryptographic settings Provider: Hash algorithm: Microsoft Shong Cryptographic Provider

    If so, for the root CA certificate, delete the old CA certificate from the Certification Authorities tab

    1.Start pkiview.msc

    2.Right-click Enterprise PKI, and then click Manage AD Containers

    3.Click the Certification Authorities tab

    4.Select the old root CA certificate and then delete it.

    Then you can check if the expired certificate is removed or not.

    If it is not the case I mentioned above, do you mean the expired certificate in MMC (by opening certlm.msc) you want to delete? If so, you can right click it and select "Delete".

    User's image

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.