Expired certificate keeps re-appearing a few minutes after it is deleted

Paul Salotti 1 Reputation point
2020-10-08T20:49:18.963+00:00

We have a Windows 2016 SCCM server with a local instance of SQL server 2016. The SQL server cert was expiring and a new SQL Server cert was created and applied. When we delete the old SQL Server certificate in the Certificates MMC, it re-appears a few minutes later. The new certificate is selected in SQL Configuration Manager and the old certificate removed. Why would the old certificate keep re-appearing in the Certificates MMC a few minutes after it's deleted?

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,786 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,834 questions
Microsoft Configuration Manager
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hannah Xiong 6,276 Reputation points
    2020-10-09T03:29:34.497+00:00

    Hello,

    Thank you so much for posting here.

    Would you please help to collect more information for us to narrow down the issue?

    1: How is the old SQL server certificate is created? Is it automatically enrolled?
    2: Each time the deleted certificate would re-appear a few minutes later after we tried to delete it? That is to say, no matter how many times we tried to delete it, it would re-appear a few minutes later. Is my understanding correct?
    3: Is the re=appear certificate totally the same with the deleted one? Do they have the same expire date?

    If there are any concerns about the information above, please feel free to contact me. Thanks for your understanding.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Paul Salotti 1 Reputation point
    2020-10-09T14:09:48.067+00:00

    Hi HannahXiong-MSFT

    1) The certificate was created using the steps under “Install on a single server” and “Configure server” located here:

    enable-encrypted-connections-to-the-database-engine

    2) You are correct.
    3) The deleted certificate that re-appears is totally the same with the same expiration date of 10/4/2020.

    0 comments
  3. Hannah Xiong 6,276 Reputation points
    2020-10-13T02:44:49.813+00:00

    Hello PaulSalotti-4196,

    Thank you so much for your kindly reply.

    Frankly speaking, we are not professional with SQL server. So sorry that we could not reproduce this issue.

    As per my understanding and experience, if we configure certificate auto-enrollment via group policy, the certificate will re-appear after group policy refresh if we delete it. For example:

    I configured user certificate auto-enrollment. Then I deleted this user certificate. After running gpupdate /force, the certificate comes back with the same expiration date.

    31914-1.png

    Reference about configuring certificate auto-enrollment: https://video2.skills-academy.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

    It is suggested that we could run gpresult /h C:\report.html to get the GPO report to check whether we have configured such policy.

    Thank you so much for your understanding and support.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.