none
Decommissioning Enterprise Root CA nearly complete...

    Dotaz

  • Hi all, I'm in the process of researching and completing labs on building and decommissioning an Enterprise Root CA in readiness for doing so in a live environment and have been following the Wiki article here: http://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx?CommentPosted=true#commentmessage

    The final step (9) says: "Do not use this procedure if you are using certificates that are based on version 1 domain controller templates."

    Can anyone pleas explain why this shouldn't be done? What impact does it have if the certificates are removed? Bearing in mind that DCs are hard-coded to request a Domain Controller certificate in v1 format, this means that most default (not designed) installations of Enterprise Root CAs will issue v1 Domain Controller certificates so it would be great to get some background on why running certutil -dcinfo deleteBad shouldn't be done as there doesn't seem to be another option other than leaving the issued certificates alone?

    Should the final step just be skipped if DCs have v1 DomainController certificates?

    I look forward to reading any replies.

    Thanks!

    5. března 2012 12:20

Odpovědi

  • When we run "certuitl -dcinfo deletebad", certutil.exe is hard coded to evaulate the KDC certificate for the smart Card logon OID. The problem is that the V1 domain contrller template does not contain the smart card logon OID, yet this is completely OK to use for smart card authentication by the KDC. The command will incorrectly evaulate and delete any V1 domain controller certificates from domain controllers, which in turn breaks smart card authentication to the domain.

    So, we may not use the command to remove the certificates issued on the domain controllers. Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    13. března 2012 11:45

Všechny reakce

  • Yes, domain controller template is version 1. But i think you can run the command as this is the root CA and all certificates have been revoked by previous steps.
    7. března 2012 9:15
  • Thanks for your response. I ran the command, however the certificates seemed to remain in place. It wasn't entirely a surprise given that the CRL was deleted from the CDP in a previous step and the Domain Controller isn't likely to have obtained the new CRL during that period to check the revocation status anyway.

    As you say, the certificates have been revoked anyway so I decided to take things a step further and issue:

    certutil -dcinfo DeleteAll

    Which did the trick.

    It would still be nice to get some feedback or an open discussion with one of the PKI experts (Brian/Vadims) to explain a few of the steps in the decommissioning how-to. My biggest issue is the creation of a new CRL after all certificates have been revoked (makes sense) but then the removal of that CRL from Active Directory just a few steps later...?! Why issue a new CRL if you're going to delete it before the clients have had the opportunity to obtain a copy or cache it? It just seems pointless.

    Would it be wise to:

    1. Determine the amount of time the existing Base CRL is valid. (Let's say it's 1 week).
    2. Reduce the publishing interval of Base CRLs to 6 hours. Delta CRLs to disable.
    3. Wait 1 week for existing clients who have cached the CRL that's valid for 1 week to get one that's valid for 6 hours.
    4. Revoke all certificates.
    5. Increase the publishing interval of Base CRLs to 2 years (or beyond the lifetime of the longest certificate).
    6. Publish a new CRL.
    7. Wait 6 hours.
    8. Continue the decommission.

    If it's done the way suggested in the article, the CRL is deleted from AD mere minutes after publishing it. So how are the revoked certificates going to be determined as revoked if there's no CRL in the CDP? Do we expect the default HTTP CDP location to remain available?

    Questions, questions.

    Cheers

    8. března 2012 17:15
  • Version 1 templates were introduced in Windows 2000, and can be used by Windows 2000, Windows Server 2003 (R2), and Windows Server 2008 (R2) Enterprise CAs. Version 1 templates Active Directory objects are created the first time an Enterprise CA is created in the forest.

    The command we use to delete the certificates that are based on version 2 or later tempates, so you will get the note when you perform the step9.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    12. března 2012 6:19
  • Version 1 templates were introduced in Windows 2000, and can be used by Windows 2000, Windows Server 2003 (R2), and Windows Server 2008 (R2) Enterprise CAs. Version 1 templates Active Directory objects are created the first time an Enterprise CA is created in the forest.

    The command we use to delete the certificates that are based on version 2 or later tempates, so you will get the note when you perform the step9.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Are you saying that certutil -dcinfo deleteBad only works on v2 certificates? And what "note" are you referring to with regard to Step 9?
    12. března 2012 10:39
  • When we run "certuitl -dcinfo deletebad", certutil.exe is hard coded to evaulate the KDC certificate for the smart Card logon OID. The problem is that the V1 domain contrller template does not contain the smart card logon OID, yet this is completely OK to use for smart card authentication by the KDC. The command will incorrectly evaulate and delete any V1 domain controller certificates from domain controllers, which in turn breaks smart card authentication to the domain.

    So, we may not use the command to remove the certificates issued on the domain controllers. Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    13. března 2012 11:45
  • Hi,

    I would like to check if you have read the explanation about this. Please keep me posted on this. Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    16. března 2012 1:12
  • I understand what you're saying but the warning seems pointless since the PKI is being decommissioned and smart card certificates will have been revoked earlier in the process...so what's the harm?

    Presumably the warning is more relevant to persons that have deployed v1 Domain Controller certificates and are using Smart cards rather than someone that is decommissioning their PKI. It sounds more to me like using certutil -dcinfo deleteBad is more dangerous for operational PKIs than for someone intent on completely removing it.

    Thanks for the additional clarification.

    Regards

    16. března 2012 15:12
  • This is specific to multiple CA structure scenario such as two issuing CAs, and you demote one issuing CA. However, there are another CA in the environment. If so, the command will delete all the certificates which meet the "bad" requirements, which may cause some certifiticates cannot work well.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    19. března 2012 3:01