Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
How do I stop a sub cert server from issuing any new certificates

Answered How do I stop a sub cert server from issuing any new certificates

  • Thursday, March 29, 2012 7:20 PM
     
     
    Sign In to Vote
    0

    I have a enterprise subordinate root server that only has 3 certificates that are active. I would like to decommission it. I have read through the article on decommissioning as well as the 2008 certificate migration guide yet I not sure I understand what stops a CA from issuing certificates. I have posted before and am trying to decide whether I want to migrate the enterprise root to 2008 or start over but since the enterprise subordinate only has 3 active certificates it would be easy to just decommision it and create new issuing subordinate CAs on my 2008 R2 servers. I have stopped auto-enrollment in AD so I think the only way that the existing enterprise CA would issue a certifiacte would via a request to the CA. From what I have read it seems that I need to extend the lifetime of the CRL, revoke the active certificates, and then issue a new CRL. I should then be able to follow through the balance of the process and decommission the CA, decommision the domain controller the CS is running on, and then remove the server from the domain. But what actualy stops an installed CA from issuing certificates?  

    eburch@lasertel.com

     

All Replies

  • Thursday, March 29, 2012 7:32 PM
     
     Answered
    Sign In to Vote
    1
    The easiest way is to remove all assigned templates from the CA. In the Certification Authority MMC snap-in select Certificate Templates folder and remove all templates. And you can leave CA in operational state to publish new CRLs. After that you can start decomission process.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

     
  • Thursday, March 29, 2012 7:58 PM
     
     
    Sign In to Vote
    0
    And if remember correctly there is no reason to revoke expired certificates since they are not trusted by default. Thx as always for the help.

    eburch@lasertel.com

     
  • Thursday, March 29, 2012 8:04 PM
     
     
    Sign In to Vote
    1
    Yes, it is not necessary to revoke them.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki