Removing old certification authority certificates from the configuration of a certification authority

During the lifetime of a certification authority, certification authority certificates are renewed according to the planning for their life cycle. A new key pair can optionally be used here. The previous certification authority certificates expire or are revoked.

Expired certificate authority certificates can become a problem under certain circumstances if, for example, the associated private keys are stored on old hardware security modules (HSM) and these can only be migrated to new hardware with great difficulty.

In such a case, it may be useful to remove old certification authority certificates from the certification authority configuration.

This operation does not affect the recovery of archived keys of certificates issued by one of the old certificate authority certificates or encrypted with a Key Recovery Agent certificate issued by one of the old certificate authority certificates.

In the following example, the certification authority has four certification authority certificates, three of which have already been revoked. The objective is that after the operation only the current certificate including private key is used by the certification authority. However, the counter for the version of the certification authority (CA version, in this case "3") is to be retained here.


Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

For this purpose, the configuration of the certification authority certificates must be edited in the registry. The configuration entry is located under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{name-of-certification authority}

Here there is a value called CACertHashwhich contains the fingerprints (thumbprints) of the certification authority certificates.

The certification authority certificates are entered in exact chronological order. Thus, the first three values would be removed in the example.

However, it is important here not to simply delete the values, but to replace them with a placeholder in the form of a hyphen "-" so that the counter for the certification authority version is retained.

Delete the values instead of replacing them with a hyphen and then try to start the certificate authority service, this will fail and generate the error message ERROR_INVALID_DATA.

Afterwards, the certification authority service must be restarted for the changes to be accepted.

Related links: