I inherited a network a while back and have been trying to come to grips with it. We are a very small network - 10 uers. We have 1 DC & 3 app servers all running Win 2008R2. We have a CA set up on one of the app servers. I have a few dozen certificates in my trusted root cert folder, many of which have expired. I'm not excatly sure what all we need certificats for. The only thing I am aware of is for Exchange OWA and connecting to Exchange (2010) with smart devices as well as connecting to our firewall device. I thought I needed a commercial certificate so I bought one from one of the companies but I'm not sure it is really needed. We don't do any web sales or FTP or anything with IIS. We still get certificate warnings when connecting to OWA and connecting to our firewall device - clicking on ignore warning works. I'm certain the certificate for OWA has expired. I'm having trouble renewing it. What I'd like to do is clear out everything that is not absolutely required and start all over - I have certs that expired as far back as 1999. I have been able to find articles on how to do different things with the CA but nothing that is really basic - CA's for dummies. I got to the point where I was almost ready to renew the OWA cert but was presented with numerous options I had no clue how to select. I don't want to start deleting certificates without being sure what I am doin. We rely quite heavily on Exchange for our business communications with clients. We do some SSLVPN connecting but use the firewall device to facilitate/validate. Any suggestions on how I might get started?

A suggestion is to start with those expired CA certificates and check what purposes they have been used for and if they can be removed from the root store. If the CA certificate already expired and you do not have any application that relies on any historical usage of certificates issued by that CA, it can be removed without any risks. The above does not apply to the "default" third party root CA certificates in the list even though they are expired way back in time, this is simply because Windows and some applications does needs to be able to verify some certificates related to some of the default CA's in the list. /Hasain

Thanks. How do I find what applications are using what certificates? In my trusted Root Authority (enterprize root CA): I have a Class 3 Public Primary Certificate expired 2008 from VeriSIgn, another identical that expired in 2004. I have a Microsoft Timestamp cert that expired in 1999. I have severm Microsoft Code Signing certs expired from 20060-02011, some Microsoft Corporation expired certs...and another MS Timestamping cert expired in 2011. Then I have a Symantec Root CA tha expired in 2011 and a Verisign time stamping services signer that expired in 2008. The server that hosts exchange has a personal cert friendly name OWA that expired in 2011. That is the cert that triggered the error messages in event log that caused me to start looking at certificates. OWA works if you click continue anyway, but it would be nice to have a valid certificate.

The CA's you mentioned here are all part of the default root CA list in Windows and should not be removed. As I mentioned above, you should not remove any of the "default" root CA certificates in the list unless you have a good reason or you will be breaking things! The discussion about cleaning up should only focusing the CA's that has been added to the list manually. To solve your OWA certificate warning, you need to look into purchasing a certificate from an external provider if your clients are accessing OWA from machines other than your domain members. /Hasain

Thanks again. OK....leave the Root Certificates alone. I can do that. I did purchase a certificate from an extrenal provider, DigiCert. I wasn't sure that was necessary as I didn't know if Windows could generate a cert that would work with OWA. That clears up that question. The OWA cert shows up as expired in their utility...I'll see if they can help me out.