Home > IT Answers > Microsoft Windows > Do old certificates pose a security threat?
Help

Question

  Asked: Feb 25 2008   10:02 PM GMT
  Asked by: Windows Security ATE

Do old certificates pose a security threat?


Windows Server 2003, Security certificate

From our Windows Server 2003 Web server, we are using Windows certification services for issuing certificates for our clients. After issuing the certificate to the client, the certificates are stored in the server. Is there any way to delete the issued certificates from the server? Do they pose a security risk if they remain on the server undeleted?

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: Feb 27 2008  4:41 AM GMT  by Jlees


Latest Contributors: Mrdenny


Some whould say they do pose a risk, however, whether they pose a risk or not is really driven by whether the certificates are in use or not.

Yes you can delete the certificate, but that will invalidate the certificate, again assuming it is in use. You need to keep the issued certificates in the certificate store until the certificate expires or is no longer in use.

Remember, if you delete the certificate and you find it was actually needed you would have to re-create (and issue) the certificate. If your concerned about needing the certificate in the future, you could back the certificate up to a .pfx file-- but when you do be sure and backup the private and the public key so it can be restored in an operational state.

You would backup and delete the certificates with the Certificates snapin in the MMC and they type of certificate would determine whether it was in the "personal", "Computer", or "user" store.
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Microsoft Windows and Security.

Looking for relevant Microsoft Windows Whitepapers? Visit the SearchWinIT.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

KevinBeaver  |   Feb 28 2008  1:16AM GMT

You could revoke the certificates by loading up the Certification Authority MMC (under Start/Administrative Tools), click Issued Certificates, select the one you want to revoke and then, under the Action menu, select All Tasks, and select Revoke Certificate. I can’t think of any direct vulnerabilities associated with certificates stored on a server assuming that reasonable security controls (i.e. system hardening, current patches, and strong passphrases) are in place. If someone gains access to the server itself, the passwords can be cracked as well, so don’t overlook physical security either.