Windows 2008 R2 CA and auto-enrollment: how to get rid of >100,000 issued certificates

The basic problem I'm having is that I have >100,000 useless machine certificates cluttering up my CA, and I'd like to delete them, without deleting all certs, or time jumping the server ahead, and invalidating some of the useful certs on there.

This came about as a result of accepting a couple defaults with our Enterprise Root CA (2008 R2) and using a GPO to auto-enroll client machines for certificates to allow 802.1x authentication to our corporate wireless network.

Turns out that the default Computer (Machine) Certificate Template will happily allow machines to re-enroll instead of directing them to use the certificate they already have. This is creating a number of problems for the guy (me) who was hoping to use the Certificate Authority as more than a log of every time a workstation's been rebooted.

(The scroll bar on the side is lying, if you drag it to the bottom, the screen pauses and loads the next few dozen certs.)

Does anyone know how to DELETE 100,000 or so time-valid, existing certificates from a Windows Server 2008R2 CA?

When I go to delete a certificate now, now, I get an error that it cannot be delete because it's still valid. So, ideally, some way to temporarily bypass that error, as Mark Henderson's provided a way to delete the certificates with a script once that hurdle is cleared.

(Revoking them is not an option, as that just moves them to Revoked Certificates, which we need to be able to view, and they can't be deleted from the revoked "folder" either.)

Update:

I tried the site @MarkHenderson linked, which is promising, and offers much better certificate manageability, buts still doesn't quite get there. The rub in my case seems to be that the certificates are still "time-valid," (not yet expired) so the CA doesn't want to let them be deleted from existence, and this applies to revoked certs as well, so revoking them all and then deleting them won't work either.

I've also found this technet blog with my Google-Fu, but unfortunately, they seemed to only have to delete a very large number of certificate requests, not actual certificates.

Finally, for now, time jumping the CA forward so the certificates I want to get rid of expire, and therefore can be deleted with the tools at the site Mark linked is not a great option, as would expire a number of valid certificates we use that have to be manually issued. So it's a better option than rebuilding the CA, but not a great one.

Best Answer

I haven't tried this, but there is a PKI PowerShell provider from https://pspki.codeplex.com/ that has a lot of interesting looking functions like Revoke-Certificate followed by Remove-Request:

Deletes specified certificate request row from Certification Authority (CA) Database.

This command can be used to reduce CA database size, by deleting unnecessary certificate requests. For example, delete failed requests and unused expired certificate.

Note: after you delete particular row you will unable to retrieve any properties and (if necessary) revoke corresponding certificate.

Update:

Best Answer

Related Solutions

Certificate Authority issuing Basic EFS certificates without Autoenroll

How to configure what certificates can be issued using Web Enrollment in Windows Server 2008 R2 Enterprise

Related Topic