Looking at Windows 10 certificate store, I noticed some expired certificates:
I wonder:
- Why does W10 still keeps expired certificates? I thought the were automatically removed after an "expiry grace time".
- Can all the expired certificates be removed without any side effects?
Thanks in advance
They are necessary to validate signatures made by expired signing certificates. If the signature is timestamped (there is an indication when the signing occured) it is possible to validate the signature. Timestamp provides information to determine whether the certificate was valid at the signing time. This is why Windows ships a bunch of expired CA certificates.