Is it normal that Azure AD Connecy Sync doesn't delete expired certificates?

Ian Perry 6 Reputation points
2020-05-27T17:06:02.977+00:00

We've been getting event 64 on multiple domain controllers looking like this: May 26 04:00:44 <DC NAME> MSWinEventLog 2 Application 50 Tue [user.emerg] May 26 04:00:30 2020 64 Microsoft-Windows-CertificateServicesClient-AutoEnrollment N/A N/A Warning <DC NAME>.internal.<DOMAIN>.com None Certificate for local system with Thumbprint d1 1b 68 2b 53 75 21 46 44 da f9 dc b2 25 22 48 ab 42 86 61 is about to expire or already expired. 40 After using:
Get-ChildItem Cert:\ -Recurse | Where-Object {($.Thumbprint -match "D11B68") -and ($ -is [System.Security.Cryptography.X509Certificates.X509Certificate2])} | Select-Object FriendlyName, NotAfter, Issuer, Thumbprint
to locate the certificate, I get the following:

FriendlyName NotAfter             Issuer                                              Thumbprint
------------ --------             ------                                              ----------
             3/7/2019 10:37:45 PM CN=Microsoft PolicyKeyService Certificate Authority D11B682B5375214644DAF9DCB2252248AB428661

Is it normal for these certificates to not be removed after expiration? If so, would it be safe to remove it or automate removal of these expired certs? Help is appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,526 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,336 Reputation points Microsoft Employee
    2020-05-29T03:07:06.697+00:00

    Yes, once they expire they can sit there. You may need to remove them using a Powershell script like this one to clear them out. If they have similar names to existing ones then you

    From the troubleshooting guide:

    Reduce the number of certificate values on the on-premises AD object (15 or less) by removing values that are no longer in use by your organization. This is suitable if the attribute bloat is caused by expired or unused certificates. You can use the PowerShell script available here to help find, backup, and delete expired certificates in your on-premises AD. Before deleting the certificates, it is recommended that you verify with the Public-Key-Infrastructure administrators in your organization.

    See also: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-adsynctools

    0 comments No comments