The basic problem Je suis having is that J'ai >100,000 useless machine certificates cluttering up mon CA, et J'aimerais like to supprimez lem, sans deleting tous certs, ou time jumping le server ahead, et invalidating certains of le utile certs on there.
This came about en conséquence of accepting a couple defaults avec our Enterprise Root CA (2008 R2) et using a GPO to auto-enroll client machines for certificates to allow 802.1x authentication to our corporate wireless network.
Turns out that le par défaut Computer (Machine) Certificate Template will happily allow machines to re-enroll à la place of directing them to use le certificate they déjà have. Ceci est creating a number of problems for le guy (me) who was hoping to use le Certificate Authority as more than a log of chaque time a workstation's been rebooted.
(The scroll bar on le side is lying, si you drag it to le bottom, le screen pauses et loads le suivant peu de dozen certs.)
Does anyone know how to DELETE 100,000 ou so time-valid, existing certificates depuis a Windows Server 2008R2 CA?
When I allez dans delete a certificate now, now, I get an error that it cannot be delete parce que c'est encore valid. So, ideally, certains way to temporarily bypass that error, as Mark Henderson's provided a way to supprimez le certificates avec a script once that hurdle is cleared.
(Revoking them is pas an option, as that juste moves them to Revoked Certificates, qui we need to be able to view, et they ne peut pas be deleted depuis le revoked "folder" either.)
Update:
I tried the site @MarkHenderson linked, qui is promising, et offers much better certificate manageability, buts encore ne assez get there. The rub in mon case seems to be that le certificates are encore "time-valid," (not yet expired) so le CA ne want to let them be deleted depuis existence, et this applies to revoked certs as well, so revoking them tous et alors deleting them ne va pas work either.
J'ai aussi found this technet blog with my Google-Fu, mais malheureusement, they seemed to seulement have to delete a très large number of certificate requests, pas actual certificates.
Finally, for now, time jumping le CA forward so le certificates Je veux to get rid of expire, et therefore can be deleted avec le tools at le site Mark linked is pas a great option, as would expire a number of valid certificates we use that have to be manually issued. So c'est a better option than rebuilding le CA, mais pas a great one.
