Microsoft PKI: revoke expired certificates

Microsoft PKI: revoke expired certificates

Microsoft PKI: revoke expired certificates

Description

I have written the script below to cleanup the CA database by revoking the expired certificates. First, the script performs three checks and then revoke the expired certificates:

  • a valid certificate for the same CommonName exists
  • more than one valid certificate for the same CommonName exists
  • no valid certificate for the same CommonName exists

Finally, the script creates three reports (csv files in the folder C:\Scripts) that will contain the details of the revoked certificates.

Regarding the revocation, the reason “Hold” is used to allow a quick rollback in case of error.

Cmdlet references

The following cmdlets have been used in the script:

  • Get-CertificationAuthority : retrieves all Enterprise Certification Authorities from a current Active Directory forest
  • Get-IssuedRequest : Retrieves issued certificate requests from Certification Authority (CA) database. Issued certificate requests contain only valid and unrevoked issued certificates.
  • Revoke-Certificate : Revokes specified certificate request with a specified reason. A revoked certificate will appear in a subsequent certificate revocation lists (CRLs), provided the revocation date is effective at the time the CRL was published.

All of this cmdlets are member of the Powershell module PSPKI that can downloaded here
This useful module offers a lot of cmdlets to manage your Microsoft PKI. Some examples:

… and more here

The script has been successfully tested on a Microsoft PKI running on a Windows 2012R2 Server Standard edition

The script

<>

My Powershell script categories

Tagged on:

Leave a Reply

Your email address will not be published. Required fields are marked *