Deleting expired certificates in Trusted Root Certificate Authorities - Microsoft Q&A (2024)

2023-01-24T03:39:24.9966667+00:00

Hi, I have three expired certificates installed in the Trusted Root Certificate Authorities/Certificates:

• utn-userfirst-object
• addtrust external ca root
• quovadis root certification authority

but those three certificates are part of Microsoft Trusted Root Program with NotBefore status (certificate status: [https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). There are no applications that use those certificates.

My question: Are those certificates safe to be deleted?

Thank you

Sign in to comment

1. 

   Jermain Dettons 10Reputation points

   2023-08-09T10:48:37.89+00:00

   Elaborating the original question

   See Also

   Why do I sometimes get incorrect SSL certificate details for my subdomain?

   • WHAT IS THIS CERTIFICATE?
   • IF IT'S REVOKED THEN WHY IS IT IN THE TRUSTED ROOT CERTIFICATION AUTHORITIES?
   • MINE SHOWS THAT IT STILL HAS: TIME STAMPING, CODE SIGNING & SYSTEM FILE ENCRYPTION - PURPOSES

   So yea it sounds like this certificate is still active, SO AGAIN WHAT THE HELL IS IT?

   I think we get that expired certificates are for backwards compatibility, and while everyone seems to say "it can only effect anything before expiration date." Do we know this to be absolutely true?

   This Microsoft forum NEEDS to do a better job of informing the user instead of saying. uhhhh yea don't delete that or follow this link for information. THE URL SAYS "LEARN.MICROSOFT.COM so teach, by informing........

   1. Who it is
   2. what it is
   3. What it does
   4. Where it came from
   5. Whether it's malicious or not
   6. How to verify it is in-fact safe and needed

   THANK YOU!

   1. 

      Tomek Grabowski 31Reputation points

      2023-11-14T15:03:41.3766667+00:00

      Only sensible reply here. Shame nobody from MS cared to answer.

   Sign in to comment

2. 

   Limitless Technology 44,221Reputation points

   2023-01-25T10:03:46.8566667+00:00

   Hello there,

   Once the certificate expires it is no longer valid. Therefore, once a certificate expires you can safely remove it from the CA database. The one exception to this is if have Key Archival configured on the CA. If you are archiving private keys, you may not want to remove expired CA certificates from the CA database.

   Note: Backup the CA including the database and log files prior to deleting any certificates from the database.

   For more information ,you can refer to the following link:

   https://learn.microsoft.com/en-us/archive/blogs/xdot509/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database

   Following script for your reference: https://gallery.technet.microsoft.com/scriptcenter/Script-to-delete-expired-8fcfcf48

   Hope this resolves your Query !!

   --If the reply is helpful, please Upvote and Accept it as an answer--

   0 commentsNo comments

   Sign in to comment

3. 

   Limitless Technology 44,221Reputation points

   2023-01-25T10:03:34.7866667+00:00

   Hello there,

   Once the certificate expires it is no longer valid. Therefore, once a certificate expires you can safely remove it from the CA database. The one exception to this is if have Key Archival configured on the CA. If you are archiving private keys, you may not want to remove expired CA certificates from the CA database.

   Note: Backup the CA including the database and log files prior to deleting any certificates from the database.

   For more information ,you can refer to the following link:

   https://learn.microsoft.com/en-us/archive/blogs/xdot509/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database

   Following script for your reference: https://gallery.technet.microsoft.com/scriptcenter/Script-to-delete-expired-8fcfcf48

   Hope this resolves your Query !!

   --If the reply is helpful, please Upvote and Accept it as an answer--

   0 commentsNo comments

   Sign in to comment

Sign in to answer