The short answer is, you can’t. We have hunted for this unicorn of IT apps and commands for years and thought at very least there should be a ready way to see WHEN a certificate was last used, but there is none.

Certificates could be used in IIS, LDAPS, Admin Center, Apache, WSUS and a million other places. This advice from 2017 is still relevant today:

It’s probably fastest and cheapest to run a scream test. The change review board may not like the suggestion, but sometimes things like the scream test are the only reasonable things left. Just establish a solid back out plan.

You can hunt and prod and monitor and still miss edge cases from things that happen only twice a year or other weird constraints.

What To Do About Expired / Unused SSL Certificates?

In real life, most admins with leave expired or unused certificates in place, in other words, they do nothing. The problem with this is clutter and confusion. If you have a question about what is using an SSL certificate, most likely others will to. We think it is best to deal with it, but because there is no way to “disable” a certificate before you delete it, the process is risky.

how to backup a certificate before deleting

We backup the certificate by exporting it before we delete any questionable cert.

  1. Click START and type MMC.
  4. Right click on the SSL certificate in question
  5. Select ALL TASKS > EXPORT…
  6. Complete the wizard
  7. Right click on the certificate in question and delete DELETE

1 Comment

How a VPN Works – Up & Running Technologies, Tech How To's · February 15, 2023 at 5:55 pm

[…] of the most popular VPN protocols is OpenVPN. OpenVPN is an open-source protocol that uses SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption to create a secure VPN tunnel. […]

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *