Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Expired Certificates

203 views
Skip to first unread message

Hans Stope

unread,
Jun 28, 2005, 9:54:03 PM6/28/05
to
This may be a silly question but I haven't been able to find the answer
anywhere:
How can you remove Expired Certificates, I only see a Revoke option. I'd
sure like to get them out of my Issued Certifcates list.

Also are there any changes as a result of SP1? It looks like the persons
that had permissions to place Certificates on Tokens (eToken) don't have the
proper permissions anymore and get a message that an "Unexpected Error
Occured"

Thanks for you help

Regards,
Hans

Rebecca Chen [MSFT]

unread,
Jun 29, 2005, 6:41:03 AM6/29/05
to
Hi Hans,

What kind of certificates you want to remove? I would like to list the
folloiwng steps for your reference to remove a certificate:

Revoke all active certificates that are issued by the enterprise CA
a. Click Start, point to Administrative Tools, and then click
Certification Authority.
b. Expand your CA, and then click the Issued Certificates folder.
c. In the right pane, click one of the issued certificates, and then press
CTRL+A to select all issued certificates.
d. Right-click the selected certificates, click All Tasks, and then click
Revoke Certificate.
e. In the Certificate Revocation dialog box, click to select Cease of
Operation as the reason for revocation, and then click OK.


For more details, please refer to the following article:
How to decommission a Windows enterprise
http://support.microsoft.com/?id=889250

With regards to " It looks like the persons that had permissions to place
Certificates on Tokens", I am afraid that I have not quite caught your
meaning. Could you please take a screen shot of the error message and send
it to v-r...@microsoft.com for research? In addition, please let me know
the steps to reproduce this issue.

I look forward to your reply.


Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Thread-Topic: Expired Certificates
>thread-index: AcV8TW0NLU0Jd8eeRdambsjyaV89Yw==
>X-WBNR-Posting-Host: 24.108.67.47
>From: "=?Utf-8?B?SGFucyBTdG9wZQ==?=" <han...@news.postalias>
>Subject: Expired Certificates
>Date: Tue, 28 Jun 2005 18:54:03 -0700
>Lines: 14
>Message-ID: <9FB26946-655B-406A...@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.general
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.general:41024
>X-Tomcat-NG: microsoft.public.windows.server.general

Rebecca Chen [MSFT]

unread,
Jun 29, 2005, 8:30:41 AM6/29/05
to
Hi Hans,

If you mean you want to totally delete a certificate, you can use the
Certutil command to delete a certificate for user or for machine. The
syntax of how to delete the

certutil-delstore [-enterprise ] [-user ] [-gmt ] [-seconds ] [-v ] [-dc
DCName] root -user

More details can be found from the article below:
Certutil tasks for managing certificates
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/5e0f52f2-f7c8-4c74-9497-be52366df52e.mspx


You can also use MMC to delete a user or machine certificate. Please key in
mmc in Run box, click Add/remove snap-in from File menu, choose
Certificate, you can specify to handle machine certificate or user
certificate. Please then choose the certificate you want to remove and
right click the mouse to choose delete.

If you have any update or questions, please feel free to post back.


Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>X-Tomcat-ID: 197498394
>References: <9FB26946-655B-406A...@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>From: v-r...@online.microsoft.com ("Rebecca Chen [MSFT]")
>Organization: Microsoft
>Date: Wed, 29 Jun 2005 10:41:03 GMT
>Subject: RE: Expired Certificates
>X-Tomcat-NG: microsoft.public.windows.server.general
>Message-ID: <qC3jOcJ...@TK2MSFTNGXA01.phx.gbl>
>Newsgroups: microsoft.public.windows.server.general
>Lines: 80
>Path: TK2MSFTNGXA01.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.general:41060
>NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182

Hans Stope

unread,
Jun 29, 2005, 5:41:05 PM6/29/05
to
Hi Rebecca,

Thanks for your answer. I guess I should have been a little more specific.

I monitor a large network in Europe, where I used to work. It consists of a
Root Domain and three Child Domains. We have installed a Root CA and a
Subordinate CA that serves two domains.

We also have installed the CertSrvr website. The Web Forms are used together
with an Enrollment Station, an Enrollment Agent, and eToken software to
request certificates for other users and place them on an USB Token. With
this Token they can set up a secured VPN connection with the network using a
Cisco Concentrator and Active Directory Authentication. The certificates that
are placed on the Tokens are valid for one year. Before the year is up the
user comes back and a new certificate is placed on the Token. Usually by the
time I get to see it the old certificate has expired.

AD Domain Controllers do an auto-enroll, but the old certificates remain in
the Issued Certificates Folder.

So now I have along list of expired DC and Smartcard User Certificates but I
haven’t been able to find any documentation that specifies what you do with
expired certificates. I would say that you revoke a certificate when it is
still valid and it gets published in the CRL.
But what about Expired Certificates?
Do you revoke them to get them out of the Issued Certificates Folder or do
you delete them? And is deleting them only possible with the CertUtil ?

Thanks for your help.
Hans

0 new messages