After a couple of years I looked over our issuing Certificate Authorities and noticed a bunch of expired certificates in the Issued Certificates folder. So what should we do with them? Do we just ignore them? I prefer to clean things up, so I revoked a few as "Cease of Operation" that were issued to our old Exchange servers which were decommissioned. That moved them from the Issued Certificates folder to the Revoked Certificates folder. How do you handle your expired certs?

Just leave them.1) They were still issued2) If you need to recover private keys, they need to exist in the CA database to allow recovery3) Any customers I have seen that have attempted to start deleting rows from the CA database and running Jet DB utilities against it, end up with corrupted CA databases.Brian

Adding to my answer, revoking an expired certificate is a complete waste of time.1) The certificate is expired, so no need to check revocation, as it is not time valid.2) It goes into the CRL, but then is expunged, because the default behavior is to only have time valid certs on the CRL. And if you do a registry hack to include expired certificates, now you have CRL size bloatbrian

Thank you Brian, I type this with your 2008 PKI book in my lap, LOL, is the information you provided on this forum in your book somewhere? I was unable to find Certificate Expiration in the Index, seems such a fundamental topic, would be worth to ad a blurb at least as you stated above.

This is the current supplement to the book (my answers)<G>Brian