How to decommission certificate authority in windows 2008

By default, this information is kept on the server in case you are uninstalling and then reinstalling the CA.

When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory. These objects are as follows:. Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA. This prevents clients from trying to enroll against the decommissioned CA. The other objects are retained because certificates that are issued by the CA are probably still outstanding.

These certificates must be revoked by following the procedure in the "Step 1: Revoke all active certificates that are issued by the enterprise CA" section. If the outstanding certificates are processed by the various PKI clients, validation will fail, and those certificates will not be used.

Do not remove these objects if you expect to process one or more of the formerly active digital certificates. Note You should not remove certificate templates from Active Directory until after you remove all CA objects in the Active Directory forest. To remove all Certification Services objects from Active Directory, follow these steps:.

Make a note of the Name value that belongs to your CA. You will need the CACommonName for later steps in this procedure. On the View menu, click Show Services Node. In the right pane, locate the container object for the server where Certificate Services is installed. Right-click the container, click Delete , and then click Yes two times. If the object is not deleted, right-click the object, click Delete , and then click Yes. If you did not locate all the objects, some objects may be left in the Active Directory after you perform these steps.

To clean up after a CA that may have left objects in Active Directory, follow these steps to determine whether any AD objects remain:. For example, if the Name value is "CA1 Contoso," type the following:. Open the remainingCAobjects. Replace the term "changetype: add" with "changetype: delete. Delete the certificate templates if you are sure that all of the certificate authorities have been deleted.

Repeat step 12 to determine whether any AD objects remain. Important You must not delete the certificate templates unless all the certificate authorities have been deleted. I'm the only one whoi has had fingers in this network for the past 22 years and I do not remember enabling anything. Could the install of AD CS have set those policies? Sometimes ADCS is set up because it was thought to be required. None of that would have been automatic.

A lot of walk through recommend setting up the EFS recovery and auto enroll. This is because there is nothing by default stopping users from turning on EFS. With the recovery cert from AD it makes it so the admin can recover files if a user we're to lose their EFS cert.

However in over a decade of doing this I've never had a user turn on EFS. If you do go down the cert road again, don't put it on a DC. As you can see it just adds complexity if you want to migrate DCs. To continue this discussion, please ask a new question. Get answers from your peers along with millions of IT pros who visit Spiceworks.

Please be merciful of my ignorance. Best Answer. Justin This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Windows Server expert. View this "Best Answer" in the replies below ». Click to clear the Certification Authority check box, and then click Next. If IIS is running and you are prompted to stop the service before you continue with the uninstall process, click OK.

After the Remove Roles Wizard is finished, you must restart the server. If the remaining role services, such as the Online Responder service, were configured to use data from the uninstalled CA, you must reconfigure these services to support a different CA.

After a CA is uninstalled, the following information is left on the server:. By default, this information is kept on the server in case you are uninstalling and then reinstalling the CA.

When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory. These objects are as follows:.

Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA. This prevents clients from trying to enroll against the decommissioned CA. The other objects are retained because certificates that are issued by the CA are probably still outstanding.

These certificates must be revoked by following the procedure in the "Step 1: Revoke all active certificates that are issued by the enterprise CA" section. If the outstanding certificates are processed by the various PKI clients, validation will fail, and those certificates will not be used. Do not remove these objects if you expect to process one or more of the formerly active digital certificates. Note You should not remove certificate templates from Active Directory until after you remove all CA objects in the Active Directory forest.

To remove all Certification Services objects from Active Directory, follow these steps:. Make a note of the Name value that belongs to your CA. You will need the CACommonName for later steps in this procedure. On the View menu, click Show Services Node. In the right pane, locate the container object for the server where Certificate Services is installed. Right-click the container, click Delete , and then click Yes two times. If the object is not deleted, right-click the object, click Delete , and then click Yes.

If you did not locate all the objects, some objects may be left in the Active Directory after you perform these steps. To clean up after a CA that may have left objects in Active Directory, follow these steps to determine whether any AD objects remain:. For example, if the Name value is "CA1 Contoso," type the following:. Most Active Hubs Microsoft Teams. Security, Compliance and Identity. Microsoft Edge Insider. Azure Databases. Autonomous Systems.

Education Sector. Microsoft Localization. Microsoft PnP. Healthcare and Life Sciences.