This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 61%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello!
I have a few expired root CA certs in my internal CA which are still being issued to new machines.
Is it OK to remove these certs from the tabs in ***Enterprise PKI > Manage AD Containers*?**
Also just to test an app that is failing to read the current Root CA, can I remove the expired certs from the server directly?
I understand that the PKI will resend them but I just need a quick test on this.
Those which are flagged as "Not time valid" are safe to be removed from "Manage AD Container" dialogs. Then they will be gone from Certificates MMC snap-in.