Anmelden
 
HomeLibraryDownloadsSupportWebcasts & EventsCommunityForenBlogs
Ressourcen für IT-Professionals >
Decommission WS 2003 Enterprise CA

Beantwortet Decommission WS 2003 Enterprise CA

  • Mittwoch, 21. November 2012 09:02
     
     
    Anmelden
    0

    Hi,

    I'd like to decommisson an enterprise CA from a WS 2003 (also DC and Exchange 2003 - eventually this server will be decommissioned) from a network as we don't need it anymore, according to kb 889250. There are 3 other DCs (3 sites), 2 cluster nodes and a couple of other servers, all 2008R2. We don't need a pki anymore, no smart card authentication and other certificate based stuff (as far as i know). Can i just go ahead with the procedure?  kb 889250 doesn't give any information or warnings about this situation. Self-evidently i don't want this network to collapse....

    Regards

    Ueli

     

Alle Antworten

  • Donnerstag, 22. November 2012 04:56
    Moderator
     
     Beantwortet
    Anmelden
    0

    Hi Ueli,


    Thanks for posting in Microsoft TechNet forums.

    Since the PKI structure is no longer needed, it is OK to follow the steps in KB889250 to decommission the CA.

    Please feel free to let us know if you have any further concern or question.

    Have a nice day.

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


     
  • Freitag, 23. November 2012 12:45
     
     
    Anmelden
    0

    Hello Kevin

    thanks for your reply! - I'm almost done. However, issuing "certutil -key" on one of the 2008R2 DCs i get:

    C:\Windows\system32>certutil -key
    Microsoft Strong Cryptographic Provider:
      le-DomainController-9977e1b0-8a59-4253-frgf-xyzabcdefghijk
      44bbe8b1d3b808780c9e974384d15fb0_14ea8532-cbc8-4231-qrst-xyzabcdefghijk
        AT_KEYEXCHANGE

      le-DomainController-ce995f9f-7083-4064-ggad-xyzabcdefghijk

     a413cdb738651009846e55334c08a56d_14ea8532-cbc8-4231-qrst-xyzabcdefghijk
        AT_KEYEXCHANGE

      le-DomainController-ce902bdb-0375-492a-lmst-xyzabcdefghijk
      deea9abb71054e0349725cdd656944d7_14ea8532-cbc8-4231-qrst-xyzabcdefghijk
        AT_KEYEXCHANGE

      TSSecKeySet1
      f686aace6942fb7f7ceb231212eef4a4_14ea8532-cbc8-4231-slkd-xyzabcdefghijk
        AT_KEYEXCHANGE

    I understand it displays the private keys. How can I translate this to human understandable information? The idea ist to delete the keys that aren't used anymore.

    Regards

    Ueli

     
  • Montag, 26. November 2012 02:56
     
     
    Anmelden
    0

    Hi,

    We need to confirm the name of your root CA and delete the private keys that are associated with the root CA.

    Then run the command certutil -delkey "(Your Root CA name)" to delete the keys.

    Niko

     

     
  • Montag, 26. November 2012 10:05
     
     
    Anmelden
    0

    Hi,

    That doesn't work. The CA doesn't exist anymore as I've decommissoned it. How can I find out what these left behind "key containers" are for?

    Regards

    Ueli

     
  • Dienstag, 27. November 2012 03:28
     
     Beantwortet
    Anmelden
    0

    The "certutil -key" command is to be performed before removing the root CA. Since the CA has already been removed from AD, we shall proceed to perform the "Remove all Certification Services objects from Active Directory" of KB889250.

    Niko