Hi, we have this old Win 2003 DC runs as a CA for our WiFi IAS authentication. It's been there for a while, so things got a bit messy.
e.g. open \\caserver\certsrv\certcarc.asp , there will be 4 certificates available for download with names like below:
- contoso-ca(2)
- contoso-ca(3)
- contoso-ca(4)
- contoso-ca(5)
I checked those ones with "certutil -viewstore", all those 4 are validate til 2016. I then checked in PKIview and confirmed contoso-ca(5) is the one currently used as CA Root certificate. I since have removed those unused certs from Certificates MMC console under Trusted Root Certification Authorities. But they are not disappearing from the CA certification list.
Now my question is, what's the proper way to get rid of those unused certs like contoso-ca(2) ~ contoso-ca(4)...
I had a look and found those certificates saves in C:\WINDOWS\system32\certsrv\CertEnroll. The folder also contains some other files like
- caserver.contoso.int_contoso(2).crt
- caserver.contoso.int_contoso(3-2).crt
- caserver.contoso.int_contoso(3).crt
Not sure if I can simply delete those files from there?
Another place I notice is in ADSI edit, under LDAP//CN=CASERVER, CN=CDP, CN=Public Key Services, CN=Services, CN=Configuration, DC=Contoso, DC=int. There are objects listed as contoso-ca(2), contoso-ca(3)... So should I manually remove those?
Another way I can see, is to use certutil -viewdelstore and then delete the certificate from there??