How do I delete my old ca certs...

  • Thread starter Thread starter Harrison Midkiff
  • Start date Start date
H

Harrison Midkiff

Hello:

I recently renewed my "Root CA". This runs on a Stand Along Root CA on a
Windows 2003 SP1 server. After renewing the cert I still have my old certs
on the server which are confusing my users. I want to remove these.
Attached is a pic of the "General" page from the "certsrv.msc" snap-in. I
want to remove the expired one, but can not delete it. I am just curious if
this what I should do to acheive my goal, and does anyone know how to delete
this?

Thanks.

Harrison Midkiff
 
It is not recommended to delete old CA certs from user's machines, there
might be existing end entity certs which can be still used despite being
expired and they would need to chain up to old CA certs. Moreover it would
be difficult to remove all old CA certs from all the root stores of all the
users machines.
 
From: "Saurav Sinha [MSFT]" <sauravs@online.microsoft.com>

| It is not recommended to delete old CA certs from user's machines, there
| might be existing end entity certs which can be still used despite being
| expired and they would need to chain up to old CA certs. Moreover it would
| be difficult to remove all old CA certs from all the root stores of all the
| users machines.

If a certificate has expired then it should NOT be used. This is the reason certificates
have an expiration date and why organizations have to use software such as Tumbleweed.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Spam for the Tumbleweed suggestion <G>

Seriously, if you just renewed the CA certificate, there may be some
applications that do not do revocation checking or validity checking but
will still want to chain to the old root CA. There is nothing wrong with
leaving it in the CA's machine store.
If it is truly expired, you can use the PKI Health Tool (pkiview.msc) to
remove the *expired* certificate from the AIA and Certification Authorities
containers (there are separate tabs for viewing and deleting the certs).
Brian
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:u7xIXb0cIHA.5160@TK2MSFTNGP05.phx.gbl...
> From: "Saurav Sinha [MSFT]" <sauravs@online.microsoft.com>
>
> | It is not recommended to delete old CA certs from user's machines, there
> | might be existing end entity certs which can be still used despite being
> | expired and they would need to chain up to old CA certs. Moreover it
> would
> | be difficult to remove all old CA certs from all the root stores of all
> the
> | users machines.
>
> If a certificate has expired then it should NOT be used. This is the
> reason certificates
> have an expiration date and why organizations have to use software such as
> Tumbleweed.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
From: "Brian Komar" <brian.komar@nospam.identit.ca>

| Spam for the Tumbleweed suggestion <G>
|
| Seriously, if you just renewed the CA certificate, there may be some
| applications that do not do revocation checking or validity checking but
| will still want to chain to the old root CA. There is nothing wrong with
| leaving it in the CA's machine store.
| If it is truly expired, you can use the PKI Health Tool (pkiview.msc) to
| remove the *expired* certificate from the AIA and Certification Authorities
| containers (there are separate tabs for viewing and deleting the certs).
| Brian

OK thanks.

<G> noted. But I would not spam for this. However all our workstations must use it. In
the light of malware now using authorities such as Comodo to digitally sign their malware
(the Winfixer group for example) I want to get a good handle on this subject matter. Last
year I read a Black Hat paper on using digitally signing malware to thwart the security
protections provided by Vista. Now I am seeing more and more malware being digitally
signed.

SunBelt blogged one noted example...
http://sunbeltblog.blogspot.com/2008/02/dangerous-new-fake-american-greetings.html
{ BTW: Melih of Comodo revoked the certificate noted above }

Again, I just want to get a handle on the subject matter.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Back
Top