CA Exchange certificates every week. Can I delete the old ones??
In my environment we are using HSMs for private keys protection. When we create the CAs, enterprise subsidiaries, the CA services installation created two private keys on my HSM. One for the CA certificate itself, and the other one for CA Exchange features. CA exchange is needed for interchange authentication and certification request for other computers, users for other purposes. The default template stablish a validity of 1 week as recommended. So every week I'm getting a new CA Exchange certificate, with correspondant private keys stored on my HSM partition. I don't now exactly how many objects (private keys) I can store on a single partition of my HSM, so my questions are: Can I delete the old CA Exchange certificates and correspondant private keys, without problems? How? I must revoke its before and then delete? why the old ones are not revoked authomatically!?! Thanks in advance
June 30th, 2010 3:51pm

you may extend template validity period for 1 year, for example and manually issue this certificate to CA server.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2010 11:52am

The CA should be deleting old CA Exchange keys when the related certificates expire, so you shouldn't have more than a 1 or 2 CA Exchange keys in th HSM at any one time. If that's not happening, perhaps you should contact Microsoft Support. That said, you have two options. One is to increase the validity period of the CA Exchange template as has already been mentioned. Another is to configure the CA so that CA Exchange certificates are not stored on the HSM. You do this by changing the CSP defined for Encryption keys in the registry: Windows Server 2003: certutil -setreg ca\EncryptionCSP\Provider "Microsoft Strong Cryptographic Provider" Windows Server 2008 or higher: certutil -setreg ca\EncryptionCSP\Provider "Microsoft Software Key Storage Provider" Revoke the most recent CA Exchange certificate issued by the CA, and the stop and restart Certificate Services. Jonathan Stephens Jonathan Stephens
July 1st, 2010 6:32pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics