Remove expired Root CA certs - OK and how to clean up?

SenhorDolas 1,191 Reputation points


I have a few expired root CA certs in my internal CA which are still being issued to new machines.

Is it OK to remove these certs from the tabs in ***Enterprise PKI > Manage AD Containers*?**


Also just to test an app that is failing to read the current Root CA, can I remove the expired certs from the server directly?
I understand that the PKI will resend them but I just need a quick test on this.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,996 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,746 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,111 Reputation points MVP

    Those which are flagged as "Not time valid" are safe to be removed from "Manage AD Container" dialogs. Then they will be gone from Certificates MMC snap-in.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful