Hi, we have this old Win 2003 DC runs as a CA for our WiFi IAS authentication. It's been there for a while, so things got a bit messy. e.g. open \\caserver\certsrv\certcarc.asp , there will be 4 certificates available for download with names like below: contoso-ca(2) contoso-ca(3) contoso-ca(4) contoso-ca(5) I checked those ones with "certutil -viewstore", all those 4 are validate til 2016. I then checked in PKIview and confirmed contoso-ca(5) is the one currently used as CA Root certificate. I since have removed those unused certs from Certificates MMC console under Trusted Root Certification Authorities. But they are not disappearing from the CA certification list. Now my question is, what's the proper way to get rid of those unused certs like contoso-ca(2) ~ contoso-ca(4)... I had a look and found those certificates saves in C:\WINDOWS\system32\certsrv\CertEnroll. The folder also contains some other files like caserver.contoso.int_contoso(2).crt caserver.contoso.int_contoso(3-2).crt caserver.contoso.int_contoso(3).crt Not sure if I can simply delete those files from there? Another place I notice is in ADSI edit, under LDAP//CN=CASERVER, CN=CDP, CN=Public Key Services, CN=Services, CN=Configuration, DC=Contoso, DC=int. There are objects listed as contoso-ca(2), contoso-ca(3)... So should I manually remove those? Another way I can see, is to use certutil -viewdelstore and then delete the certificate from there??

you should not remove existing (even expired) CA certificates. This is because they can be used for digital signature verification after their expiration.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

One thing I dont get is why the CA has no many CA certs with same name? If I cannot remove them, whats the best way to clean them up, like de-appreciation the cert? What's annoying users now, is if they need to select a CA cert for the Wireless authentication, they get a list of certs named same as "Contoso-CA" from the client computer's Trusted Root Certification Authorities. They got confused and dont know which one to select. To help you understand my issue, here is my CA information Exit module count: 1 CA name: CONTOSO-CA Sanitized CA short name (DS name): CONTOSO-CA CA type: 3 -- Stand-alone Root CA ENUM_STANDALONE_ROOTCA -- 3 CA cert count: 6 KRA cert count: 0 KRA cert used count: 0 CA cert[0]: 1 -- Unavailable CA cert[1]: 4 -- Expired CA cert[2]: 3 -- Valid CA cert[3]: 3 -- Valid CA cert[4]: 3 -- Valid CA cert[5]: 3 -- Valid CA cert version[0]: 0 -- V0.0 CA cert version[1]: 0x10001 (65537) -- V1.1 CA cert version[2]: 0x20002 (131074) -- V2.2 CA cert version[3]: 0x20003 (131075) -- V3.2 CA cert version[4]: 0x40004 (262148) -- V4.4 CA cert version[5]: 0x50005 (327685) -- V5.5 CA cert verify status[0]: 0 CA cert verify status[1]: 0x800b0101 (-2146762495) CA cert verify status[2]: 0 CA cert verify status[3]: 0x800b0109 (-2146762487) CA cert verify status[4]: 0x800b0109 (-2146762487) CA cert verify status[5]: 0 CRL[0]: 1 -- Error: No CRL for this Cert CRL[1]: 4 -- Expired CRL[2]: 3 -- Valid CRL[3]: 1 -- Error: No CRL for this Cert CRL[4]: 3 -- Valid CRL[5]: 3 -- Valid CRL Publish Status[1]: 5 CPF_BASE -- 1 CPF_COMPLETE -- 4 CRL Publish Status[2]: 5 CPF_BASE -- 1 CPF_COMPLETE -- 4 CRL Publish Status[4]: 5 CPF_BASE -- 1 CPF_COMPLETE -- 4 CRL Publish Status[5]: 5 CPF_BASE -- 1 CPF_COMPLETE -- 4 DNS Name: caserver.contoso.int Advanced Server: 0 CertUtil: -CAInfo command completed successfully. As you can see there are 4 valid CA certs?! Have a further thought, can see the reason for the multiple CA certs is created due to the times of renewal. In this case how can I prevent those old version of CA certs to be published to clients?

Hi, i finally came cross your artical here http://social.technet.microsoft.com/wiki/contents/articles/root-ca-certificate-renewal.aspx and start to understand my problem. Obviously last sysadmin somehow renwal the cert mutliple times on the same day... is there a decent way to clean up these mess? I mean make the older version of CA certs disappear from the distribution list. Or can I just delete those obsoleted CA certs from AIA container? Regardless the consequences, will this action remove the certs from Trusted Root Certification Authorities from the clients?

As I said you really don't need to do it. This is normal behavior. Even there are multiple valid CA certs only the most recent CA certificate is used for certificate signing.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com