anyone know what happens to expired trusted server certificates? i was working on our LDAPS cert and noticed we have 13 other expired certificates, do we just delete them or can i get them renewed somehow.
They should not be used at all. If your IVE cert is from a well-know CA (verisign, godaddy, akamai, etc) then it was signed with a cert that won't expire before your IVE cert does. Personally, I delete them myself as they expire. If you don't delete them, and make a connection from your IVE to a website signed by one of them, the IVE will generate a certificate error, and if you delete them, any site whose certificate was signed by them will still generate an error (just not the same error).
If you use client certificates for authentication, you either 1) provide them yourself from an internal or single/limited list of CAs or 2) simply require that your users have a personal certificate signed by a 'well-known' CA. In the first case, Only the CA/list of CAs certs need to be copied into the Client CA certs page to validate your users' certificates. In the second case, while you leave yourself open to impersonation by certificate, you would need to import every CA certificate that your users purchase their certs from, into the Client CA certificate page.
I have not done any large deployments using certificate authentication, but I have used both openssl scripts and MS Certserv to issue client certificates, and currently use a single client cert (plus other auth methods) on both an SA-2000, and an apache webserver.
I see that I've rambled on a bit. The answer to your question is that only the error message will change if you delete the expired certs, not the fact that certs signed by them will generate an error.
If you have Windows machines, you've probably noticed Windows Update updating the windows certificate store.... These updates add new CA and intermediate CA certificiates to windows (once approved by MS), for example, the 2048 and 4096 bit verisign certificates that dont expire until 2036. I just checked one of my Win2k3 machines, and MS does not remove expired Trusted Root Certificates.... I guess that their reasoning is that there's a difference between a cert NOT signed by a trusted CA cert and a cert signed by an expired trusted CA cert. To me there's no difference because they're both untrusted. Of course, I also remove CA's that I think are untrustworthy and therefore don't trust any of the certs that they have issued.