Windows 2008 R2 CA and auto-enrollment: how to get rid of >100,000 issued certificates?
The basic problem I'm having is that I have >100,000 useless machine certificates cluttering up my CA, and I'd like to delete them, without deleting all certs, or time jumping the server ahead, and invalidating some of the useful certs on there.
This came about as a result of accepting a couple defaults with our Enterprise Root CA (2008 R2) and using a GPO
to auto-enroll client machines for certificates to allow 802.1x
authentication to our corporate wireless network.
Turns out that the default Computer (Machine)
Certificate Template
will happily allow machines to re-enroll instead of directing them to use the certificate they already have. This is creating a number of problems for the guy (me) who was hoping to use the Certificate Authority as more than a log of every time a workstation's been rebooted.
(The scroll bar on the side is lying, if you drag it to the bottom, the screen pauses and loads the next few dozen certs.)
Does anyone know how to DELETE 100,000 or so time-valid, existing certificates from a Windows Server 2008R2 CA?
When I go to delete a certificate now, now, I get an error that it cannot be delete because it's still valid. So, ideally, some way to temporarily bypass that error, as Mark Henderson's provided a way to delete the certificates with a script once that hurdle is cleared.
(Revoking them is not an option, as that just moves them to Revoked Certificates
, which we need to be able to view, and they can't be deleted from the revoked "folder" either.)
Update:
I tried the site @MarkHenderson linked, which is promising, and offers much better certificate manageability, buts still doesn't quite get there. The rub in my case seems to be that the certificates are still "time-valid," (not yet expired) so the CA doesn't want to let them be deleted from existence, and this applies to revoked certs as well, so revoking them all and then deleting them won't work either.
I've also found this technet blog with my Google-Fu, but unfortunately, they seemed to only have to delete a very large number of certificate requests, not actual certificates.
Finally, for now, time jumping the CA forward so the certificates I want to get rid of expire, and therefore can be deleted with the tools at the site Mark linked is not a great option, as would expire a number of valid certificates we use that have to be manually issued. So it's a better option than rebuilding the CA, but not a great one.
I haven't tried this, but there is a PKI PowerShell provider from https://pspki.codeplex.com/ that has a lot of interesting looking functions like Revoke-Certificate
followed by Remove-Request
:
Deletes specified certificate request row from Certification Authority (CA) Database.
This command can be used to reduce CA database size, by deleting unnecessary certificate requests. For example, delete failed requests and unused expired certificate.
Note: after you delete particular row you will unable to retrieve any properties and (if necessary) revoke corresponding certificate.
My gut says wipe it and start over without the goof up and you'll be happy later but if you already changed it to store the certs in AD (which is ideal) and you wipe and start over, you'll still have a ton of bogus certs they'll just be in AD attached to all the computer accounts instead of on your CA. So it's a mess either way really.
Tough call. You can revoke as you said but I don't believe you can get rid of them entirely from the CA mmc.
If you do start over, follow the steps here to do it as cleanly as possible
Because I didn't want to find another ~4000 issued certificates the next day, I stopped the wanton certificate issuance by removing the default "Computer" "Certificate Template" and adding a duplicate of it which is set to Publish certificate in Active Directory
and Do not automatically reenroll if a duplicate certificate exists in Active Directory
.
Still leaves me with the problem of how to get rid of the ones already in there, but it's a start.