Remove Certificates for Message Queuing

Applies To: Windows Server 2008

You can use this procedure to remove user certificates for Message Queuing from Active Directory Domain Services. Remove client certificates for Message Queuing from Active Directory Domain Services if you no longer want to use the certificate for message authentication.

Membership in <Domain>\Domain Users, or equivalent, is the minimum required to complete this procedure.

To remove client certificates for Message Queuing from Active Directory Domain Services

1. Click Start, point to Run, type compmgmt.msc, and press ENTER to display the Computer Management MMC console.

2. In the console tree, right-click Message Queuing.

   Where?

   • Computer Management/Services and Applications/Message Queuing

3. Click Properties.

4. In the Message Queuing Properties dialog box, click the User Certificate tab, and then under User certificates, click Remove

5. In the Personal Certificates dialog box, click the applicable user certificate, and then click Remove.

Additional considerations

• A list of all certificates registered for the user in Active Directory Domain Services is displayed in the Personal Certificates dialog box. There might be a certificate for the same user on more than one computer, including the computer from which you are currently running the MMC snap-in. The list will take the form of domain\user, computer name.

• You can remove any user certificate that is listed. However, if a registered certificate for a computer is removed using another computer, the certificate is removed from Active Directory Domain Services, but will still exist on the local computer.

• Active Directory Domain Services sets a multi-valued attribute limit of approximately 800 user certificates for a specific user account. This limit may be exceeded when obsolete user certificates have not been deleted from Active Directory Domain Services. If multiple certificates exist for a user account (user account, computer_name), indicating obsolete entries, then only the latest certificate is used, and the others can be deleted. For example, a list of certificates similar to the following may be displayed in the Personal Certificates dialog box:

  • DOMAINA\user1, computer3

  • DOMAINA\user1, computer3

  • DOMAINA\user1, computer3

• You can check which is the latest entry for DOMAINA\user1, computer3, and delete the other computer3 entries. To check the latest entry, click the required certificate, and then click View Certificate. On the Details tab, look at the Valid from field. Note that only the certificate with the most recent Valid from date is in use. The others are obsolete.

Additional references

• Authentication for Message Queuing

• Register Certificates for Message Queuing

• Renew Certificates for Message Queuing