Re: Ho to remove keys from the Windows 2003 CA archive
From: lelteto (lelteto_at_discussions.microsoft.com)
Date: Tue, 1 Mar 2005 08:15:04 -0800
There are two ways to 'remove' keys:
1. delete the container (assuming it has one key or you intend to remove
2. overwrite the key (generate a new key or import one)
Note that in both cases if you keep the certificate around you may run into
trouble (in the first case it will not find the referred container; in the
second case it may be even more problematic as now the cert and key pair
would not match).
Also, in case of encryption keys you may want to 'keep them around' (ie.
archive) anyway - although you definitely can (actually, should) delete
signing private keys when they are not needed any more.
"David Cross [MS]" wrote:
> How do you determine something should be purged is not a simple challenge
> and therefore why we don't expose a simple mechanism or auto-purge
> David B. Cross [MS]
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Top Whitepapers:
> Auto-enrollment whitepaper:
> Best Practices for implementing Windows Server 2003 PKI:
> Troubleshooting Certificate Status and Revocation whitepaper:
> Windows Server 2003 web enrollment and troubleshooting guide:
> "selkin" <email@example.com> wrote in message
> > What is the mechanism for removing or purging items from the key
> > archive, e.g. when they are beyond thier useful life?
> > Is there any MS documentation that describes how to do this? Thanks.