The short answer is, you can’t. We have hunted for this unicorn of IT apps and commands for years and thought at very least there should be a ready way to see WHEN a certificate was last used, but there is none.
Certificates could be used in IIS, LDAPS, Admin Center, Apache, WSUS and a million other places. This advice from 2017 is still relevant today:
It’s probably fastest and cheapest to run a scream test. The change review board may not like the suggestion, but sometimes things like the scream test are the only reasonable things left. Just establish a solid back out plan.
You can hunt and prod and monitor and still miss edge cases from things that happen only twice a year or other weird constraints.
ServerFault.com/questions/886489/how-to-determine-if-a-certificate-is-being-used
In real life, most admins with leave expired or unused certificates in place, in other words, they do nothing. The problem with this is clutter and confusion. If you have a question about what is using an SSL certificate, most likely others will to. We think it is best to deal with it, but because there is no way to “disable” a certificate before you delete it, the process is risky.
We backup the certificate by exporting it before we delete any questionable cert.
This website uses cookies.
View Comments