I'm working on cleaning our CA's database. There were a ton of "failed requests" that I cleared out. I want to go through our "Issued" certs and remove anything that is expired. I'm wondering a few things. 1. Is it okay to find the expired certs and revoke them? I'm wondering why the CA itself doesn't already do that. 2. After I revoke them they will go to the "Revoked" list. After the CRL is published is it okay to clean the "Revoked" list? David Jenkins

There is no need to revoke expired certificates. Remember that revocation is to prevent the use of a certificate *prior* to its expiry date. The default behavior of the CA is to remove the certificate from the CRL one publication period after the certificate expires. Just a question, why are you cleaning out the database? From a forensics and audit perspective, you are erasing evidence of what has occurred in the past? Brian

I was thinking that by marking the old certs as 'Superseded' that I would be maintaining history. Also we're running out of drive space on the CA. Maybe there is a way to move the DB. One of the problems I am having is that we seem to be generating alot of certificates for no reason. We have a VPN certificate that we deploy to all users. I see so many certificates for the same users over and over again. Looking at the template it shows a validiy period of 1 year and a renewal period of 6 weeks. I'm not sure why it's setup like that but I'm thinking I should extend the renewal period to maybe 11 months. Any thoughts?David Jenkins

Okay the 6 weeks is supposed to be before the certificate expires. But I still don't know why we have so many of the same certs being installed. Could it be that users are logging in to other workstations and it's applying a certificate to them?David Jenkins

It would be a bad idea to extend the renewal period to 11 months. What this setting means is that the client's will start to attempt renewal 6 weeks prior to the expiration of the certificate. To do what you want, reduce the setting to 4 weeks, so that renewals would start 4 weeks (1 month) prior to the expiration of the certifciate. It sounds like you need to implement credential roaming services (CRS). If people are using multiple computers, they will autoenroll a new certificate at each workstation. When you implement CRS, the certificates and their private keys are stored in AD and downloaded to new workstations *prior* to autoenrollment is kicked off (preventing unnecessary enrollments) http://blogs.technet.com/b/askds/archive/2009/01/06/certs-on-wheels-understanding-credential-roaming.aspx Brian

Thank you. I think this will help me out alot.David Jenkins

You can move the CA database and/or logs to a different drive by using the Certutil command: See http://technet.microsoft.com/en-us/library/dd379476(WS.10).aspx