Windows 2008 R2 CA and auto-enrollment: how to get rid of >100,000 issued certificates?

Posted by HopelessN00b on Server Fault See other posts from Server Fault or by HopelessN00b
Published on 2012-08-16T19:44:23Z Indexed on 2012/09/20 3:40 UTC
Read the original article Hit count: 513

The basic problem I'm having is that I have >100,000 useless machine certificates cluttering up my CA, and I'd like to delete them, without deleting all certs, or time jumping the server ahead, and invalidating some of the useful certs on there.

This came about as a result of accepting a couple defaults with our Enterprise Root CA (2008 R2) and using a GPO to auto-enroll client machines for certificates to allow 802.1x authentication to our corporate wireless network.

Turns out that the default Computer (Machine) Certificate Template will happily allow machines to re-enroll instead of directing them to use the certificate they already have. This is creating a number of problems for the guy (me) who was hoping to use the Certificate Authority as more than a log of every time a workstation's been rebooted.

My freaking eyes!

(The scroll bar on the side is lying, if you drag it to the bottom, the screen pauses and loads the next few dozen certs.)

Does anyone know how to DELETE 100,000 or so time-valid, existing certificates from a Windows Server 2008R2 CA?

When I go to delete a certificate now, now, I get an error that it cannot be delete because it's still valid. So, ideally, some way to temporarily bypass that error, as Mark Henderson's provided a way to delete the certificates with a script once that hurdle is cleared.

(Revoking them is not an option, as that just moves them to Revoked Certificates, which we need to be able to view, and they can't be deleted from the revoked "folder" either.)

Update:

I tried the site @MarkHenderson linked, which is promising, and offers much better certificate manageability, buts still doesn't quite get there. The rub in my case seems to be that the certificates are still "time-valid," (not yet expired) so the CA doesn't want to let them be deleted from existence, and this applies to revoked certs as well, so revoking them all and then deleting them won't work either.

I've also found this technet blog with my Google-Fu, but unfortunately, they seemed to only have to delete a very large number of certificate requests, not actual certificates.

Finally, for now, time jumping the CA forward so the certificates I want to get rid of expire, and therefore can be deleted with the tools at the site Mark linked is not a great option, as would expire a number of valid certificates we use that have to be manually issued. So it's a better option than rebuilding the CA, but not a great one.

© Server Fault or respective owner

Related posts about Windows

Related posts about active-directory