Clean up expired certificates from AD

Security MVP Vadims Podans just did a great post on using PowerShell to remove expired user certificates from Active Directory.

In a nutshell,

  • If your company is using certificates for user authentication or encryption, these expire every now and then,
  • Your Enterprise CA in that case appends new certificates to users’ userCertificate attribute, while leaving expired certs there as well,
  • Over time these increasingly clutter your AD, making administration more difficult and negatively affecting AD replication traffic.

Luckily, cleaning up expired certificates with PowerShell is extremely easy.

To do the clean-up for a specific user you can run this one-liner:

Get-QADUser username | Remove-QADCertificate -Valid:$false

To clean-up the entire domain, just do:

Get-QADUser | Remove-QADCertificate -Valid:$false

See Vadim’s original post for details.

Read more about PKI management with PowerShell here.

3 Responses to “Clean up expired certificates from AD”

  1. 2 redsplashman23 March 22, 2014 at 2:36 pm

    Do you know how to make a powershell script that can display the number of published certificates a user has from the Published Certificates Tab in AD? Can you do it so it displays the number of certificates every user in the domain has.
    Next, can you make it so it outputs only he users with only more than xx number of certs?

  2. 3 redsplashmn23 March 22, 2014 at 5:47 pm

    How would you do PowerShell command for the following:
    1. Get a report for all users with expired certs and how many certs they have (not delete the certs, just query which users have expired certs)
    2. Get report for users that have more than x number of certs
    3. Delete certificates for users that have more than x number of certs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

August 2011

%d bloggers like this: