How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects

How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects

This is a revision of KB article 889250.


 This topic is a how to.
Please keep it as clear and simple as possible. Avoid speculative discussions as well as a deep dive into underlying mechanisms or related technologies.


Update plan

Since the process (with exception to role removal) is the same for Windows Server 2008 and Windows Server 2008 R2 I would like to:

  1. Update article name like this: “How to decommission a Windows enterprise certification authority and how to remove all related objects” or this: “How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and Windows Server 2008”
  2. Update content for Windows Server 2008-specific steps (how to remove AD CS role by using Server Manager).
  3. Update “Applies to:” section to add Windows Server 2008 and Windows Server 2008 R2. Probably it is necessary to remove Windows 2000 information from the article.
  4. Import this article into the TechNet Library.
  5. Propose that the KB article be decommissioned.

Overview

When you uninstall a certification authority (CA), the certificates that were issued by the CA are typically still outstanding. If the outstanding certificates are processed by the various Public Key Infrastructure client computers, validation will fail, and those certificates will not be used.

This article describes how to revoke outstanding certificates and how to complete various other tasks that are required to successfully uninstall a CA. Additionally, this article describes several utilities that you can use to help you remove CA objects from your domain.

Step-by-Step

This step-by-step article describes how to decommission a Microsoft Windows enterprise CA, and how to remove all related objects from the Active Directory directory service.

Step 1: Revoke all active certificates that are issued by the enterprise CA

Depending from CA level in CA hierarchy different steps can be used to revoke all issued certificates. The following procedure should be used if your CA is root CA (with self-signed certificate):

  1. Click Start, point to Administrative Tools, and then click Certification Authority.
  2. Expand your CA, and then click the Issued Certificates folder.
  3. In the right pane, click one of the issued certificates, and then press CTRL+A to select all issued certificates.
  4. Right-click the selected certificates, click All Tasks, and then click Revoke Certificate.
  5. In the Certificate Revocation dialog box, click to select Cease of Operation as the reason for revocation, and then click OK.

If your CA is intermediate (or subordinate) CA you can revoke CA certificate at issuer:

  1. Logon to issuer CA with CA Manager or CA Administrator permissions.
  2. Click Start, point to Administrative Tools, and then click Certification Authority.
  3. Expand your CA, and then click the Issued Certificates folder.
  4. In the right pane find CA certificate to be decommissioned.
  5. Right-click the selected certificate, click All Tasks, and then click Revoke Certificate.
  6. In the Certificate Revocation dialog box, click to select Cease of Operation as the reason for revocation, and then click Ok.

Step 2: Increase the CRL publication interval

  1. In the Certification Authority Microsoft Management Console (MMC) snap-in, right-click the Revoked Certificates folder, and then click Properties.
  2. In the CRL Publication Interval box, type a suitably long value, and then click OK.

Note The lifetime of the Certificate Revocation List (CRL) should be longer than the lifetime that remains for certificates that have been revoked.

Step 3: Publish a new CRL

  1. In the Certification Authority MMC snap-in, right-click the Revoked Certificates folder.
  2. Click All Tasks, and then click Publish.
  3. In the Publish CRL dialog box, click New CRL, and then click OK.

Step 4: Deny any pending requests

By default, an enterprise CA does not store certificate requests. However, an administrator can change this default behavior. To deny any pending certificate requests, follow these steps:

  1. In the Certification Authority MMC snap-in, click the Pending Requests folder.
  2. In the right pane, click one of the pending requests, and then press CTRL+A to select all pending certificates.
  3. Right-click the selected requests, click All Tasks, and then click Deny Request.

Step 5: Uninstall Certificate Services from the server

  1. To stop Certificate Services, click Start, click Run, type cmd, and the click OK.
  2. At the command prompt, type certutil -shutdown, and then press ENTER.
  3. To list all key stores for the local computer, type certutil -key at the command prompt. This command will display the names of all the installed cryptographic service providers (CSP) and the key stores that are associated with each provider. Among the listed key stores, you will see the name of your CA listed several times, as shown in the following example.
    (1)Microsoft Base Cryptographic Provider v1.0:
      1a3b2f44-2540-408b-8867-51bd6b6ed413
      MS IIS DCOM ClientSYSTEMS-1-5-18
      MS IIS DCOM Server
      Windows2000 Enterprise Root CA
      MS IIS DCOM ClientAdministratorS-1-5-21-436374069-839522115-1060284298-500
    
      afd1bc0a-a93c-4a31-8056-c0b9ca632896
      Microsoft Internet Information Server
      NetMon
      MS IIS DCOM ClientAdministratorS-1-5-21-842925246-1715567821-839522115-500
    
    (5)Microsoft Enhanced Cryptographic Provider v1.0:
      1a3b2f44-2540-408b-8867-51bd6b6ed413
      MS IIS DCOM ClientSYSTEMS-1-5-18
      MS IIS DCOM Server
      Windows2000 Enterprise Root CA
      MS IIS DCOM ClientAdministratorS-1-5-21-436374069-839522115-1060284298-500
    
      afd1bc0a-a93c-4a31-8056-c0b9ca632896
      Microsoft Internet Information Server
      NetMon
      MS IIS DCOM ClientAdministratorS-1-5-21-842925246-1715567821-839522115-500
  4. Delete the private key that is associated with the CA. To do this, type the following at a command prompt:
    certutil -delkey CertificateAuthorityName
    Note: If your CA name contains spaces, enclose the name in quotation marks. In this example, the CertificateAuthorityName is Windows2000 Enterprise Root CA. Therefore, the command line in this example is the following:
    certutil -delkey "Windows2000 Enterprise Root CA"
  5. List the key stores again to verify that the private key for your CA has been deleted.
  6. After you delete the private key for your CA, uninstall Certificate Services. To do this, follow these steps:
  1. Close the Certification Authority MMC snap-in if it is still open.
  2. Click Start, point to Control Panel, and then click Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. In the Components box, click to clear the Certificate Services check box, click Next, and then follow the instructions in the Windows Components Wizard to complete the removal of Certificate Services.

Step 6: Remove CA objects from Active Directory

When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory. These objects are the following:

  • certificateAuthority object
  • Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
  • Contains the CA certificate for the CA.
  • Published Authority Information Access (AIA) location.
  • crlDistributionPoint object
  • Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
  • Contains the CRL periodically published by the CA.
  • Published CRL Distribution Point (CDP) location.
  • certificationAuthority object
  • Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
  • Contains the CA certificate for the CA.
  • pKIEnrollmentService object
  • Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
  • Created by the enterprise CA.
  • Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.

When the CA is uninstalled, only the pKIEnrollmentService object is removed. This prevents clients from trying to enroll against the decommissioned CA. The other objects are retained because certificates that are issued by the CA are probably still outstanding. These certificates must be revoked by following the procedure in the "Step 1: Revoke all active certificates that are issued by the enterprise CA" section.

For Public Key Infrastructure (PKI) client computers to successfully process these outstanding certificates, the computers must locate the Authority Information Access (AIA) and CRL distribution point paths in Active Directory. It is a good idea to revoke all outstanding certificates, extend the lifetime of the CRL, and publish the CRL in Active Directory. If the outstanding certificates are processed by the various PKI clients, validation will fail, and those certificates will not be used.

If it is not a priority to maintain the CRL distribution point and AIA in Active Directory, you can remove these objects. Do not remove these objects if you expect to process one or more of the formerly active digital certificates.

Remove all Certification Services objects from Active Directory

Note You should not remove certificate templates from Active Directory until after you remove all CA objects in the Active Directory forest.

To remove all Certification Services objects from Active Directory, follow these steps:

  1. Determine the CACommonName of the CA. To do this, follow these steps:
  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. Type certutil, and then press ENTER.
  3. Make a note of the Name value that belongs to your CA. You will need the CACommonName for later steps in this procedure.
  • Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.
  • On the View menu, click Show Services Node.
  • Expand Services, expand Public Key Services, and then click the AIA folder.
  • In the right pane, right-click the CertificationAuthority object for your CA, click Delete, and then click Yes.
  • In the left pane of the Active Directory Sites and Services MMC snap-in, click the CDP folder.
  • In the right pane, locate the container object for the server where Certificate Services is installed. Right-click the container, click Delete, and then click Yes two times.
  • In the left pane of the Active Directory Sites and Services MMC snap-in, click the Certification Authorities node.
  • In the right pane, right-click the CertificationAuthority object for your CA, click Delete, and then click Yes.
  • In the left pane of the Active Directory Sites and Services MMC snap-in, click the Enrollment Services node.
  • In the right pane, verify that the pKIEnrollmentService object for your CA was removed when Certificate Services was uninstalled. If the object is not deleted, right-click the object, click Delete, and then click Yes.
  • If you did not locate all the objects, some objects may be left in the Active Directory after you perform these steps. To clean up after a CA that may have left objects in Active Directory, follow these steps to determine whether any AD objects remain:
  1. Type the following command at a command line, and then press ENTER:
    ldifde -r "cn=CACommonName" -d "CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com" -f output.ldf

    In this command, CACommonName represents the Name value that you determined in step 1. For example, if the Name value is "CA1 Contoso," type the following:

    ldifde -r "cn=CA1 Contoso" -d "cn=public key services,cn=services,cn=configuration,dc=contoso,dc=com” -f remainingCAobjects.ldf
  2. Open the remainingCAobjects.ldf file in Notepad. Replace the term "changetype: add" with "changetype: delete." Then, verify whether the Active Directory objects that you will delete are legitimate.
  3. At a command prompt, type the following command, and then press ENTER to delete the remaining CA objects from Active Directory:
    ldifde -i -f remainingCAobjects.ldf
  • Delete the certificate templates if you are sure that all of the certificate authorities have been deleted. Repeat step 12 to determine whether any AD objects remain.
    Important You must not delete the certificate templates unless all the certificate authorities have been deleted. If the templates are accidentally deleted, follow these steps:
  • Make sure that you are logged on to a server that is running Certificate Services as Enterprise administrator.
  • At a command prompt, type the following command, and then press ENTER:
    cd %windir%\system32
  • Type the following command, and then press ENTER:
    regsvr32 /i:i /n /s certcli.dll
    This action re-creates the certificate templates in Active Directory.

To delete the certificate templates, follow these steps.

  • In the left pane of the "Active Directory Sites and Services" MMC snap-in, click the Certificate Templates folder.
  • In the right pane, click a certificate template, and then press CTRL+A to select all templates. Right-click the selected templates, click Delete, and then click Yes.

Step 7: Delete certificates published to the NtAuthCertificates object

Using CERTUTIL.EXE

After you delete the CA objects, you have to delete the CA certificates that are published to the NtAuthCertificates object. Use either of the following commands to delete certificates from within the NTAuthCertificates store:

certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key 
Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com?cACertificate?base?objectclass=certificationAuthority"

certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key 
Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com?cACertificate?base?objectclass=pKIEnrollmentService

Note You must have Enterprise Administrator permissions to perform this task.

The -viewdelstore action invokes the certificate selection UI on the set of certificates in the specified attibute. You can view the certificate details. You can cancel out of the selection dialog to make no changes. If you select a certificate, that certificate is deleted when the UI closes and the command is fully executed.

Use the following command to see the full LDAP path to the NtAuthCertificates object in your Active Directory:

certutil -store -? | findstr "CN=NTAuth"

Using PKIView.msc


For a GUI method of removing certificates from the NTAuthCertificates store, use PKIView.msc. You may need to install the appropriate RSAT tools for Certificate Services if Certificate Services was removed in a previous step:
  1. Click Start and Run or, in the Search programs and files box, type in PKIView.msc then press Enter.
  2. Click OK to acknowledge any errors relating to enumerating CAs in the PKI.
  3. In the tree-pane of the pkiview console, right-click Enterprise PKI then click Manage AD Containers.
  4. The NtAuthCertificates tab is the default tab and lists certificates in the container.
  5. On the NtAuthCertificates tab, select the certificate to be deleted and then click Remove.

Step 8: Delete the CA database

When Certification Services is uninstalled, the CA database is left intact so that the CA can be re-created on another server.

To remove the CA database, delete the %systemroot%\System32\Certlog folder.

Step 9: Clean up domain controllers

After the CA is uninstalled, the certificates that were issued to domain controllers must be removed.

To remove certificates that were issued to the Windows Server 2000 domain controllers, use the Dsstore.exe utility from the Microsoft Windows 2000 Resource Kit.

To remove certificates that have been issued to the Windows Server 2000 domain controllers, follow these steps:

  1. Click Start, click Run, type cmd, and then press ENTER.
  2. On a domain controller, type dsstore -dcmon at the command prompt, and then press ENTER
  3. Type 3, and then press ENTER. This action deletes all certificates on all domain controllers.
    Note The Dsstore.exe utility will try to validate domain controller certificates that are issued to each domain controller. Certificates that do not validate are removed from their respective domain controller.

To remove certificates that were issued to the Windows Server 2003 domain controllers, follow these steps.

Important Do not use this procedure if you are using certificates that are based on version 1 domain controller templates.

  1. Click Start, click Run, type cmd, and then press ENTER.
  2. At the command prompt on a domain controller, type certutil -dcinfo deleteBad.

Certutil.exe tries to validate all the DC certificates that are issued to the domain controllers. Certificates that do not validate are removed.

To force application of the security policy, follow these steps:

  1. Click Start, click Run, type cmd in the Open box, and then press ENTER.
  2. At a command prompt, type the appropriate command for the corresponding version of the operating system, and then press ENTER:
  1. For Windows Server 2000: secedit /refreshpolicy machine_policy /enforce
  2. For Windows Server 2003 and higher: gpupdate /force
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Is Step 2 worded correctly? Should the length of time of the CRL publication interval be increased? So, for example, if it's currently set at 1 week, it should be set to 1 year? Or should it be shorter? 30 minutes instead of 1 week for instance. Why is this part of the process important?

  • Yes, CRL validity must be increased.

  • After setting up an Enterprise CA in order to decommission it following this guide, I am not able to proceed past Step 5. The step suggests that issuing the command certutil -key will give a list of CSPs and the name of your CA. This is not true of Windows Server 2008 R2. An example of the output obtained from the command certutil -key from a Windows Server 2008 R2 Enterprise Root CA is:

    Microsoft Strong Cryptographic Provider:

     le-DomainController-2b43a7e4-deee-4569-b2fd-df5a9be0fe8d

     3208ae7444227e7f53ad437ef8992f65_55eda213-55b3-42f6-b40d-23fe7a59e502

       AT_KEYEXCHANGE

     iisConfigurationKey

     6de9cb26d2b98c01ec4e9e8b34824aa2_55eda213-55b3-42f6-b40d-23fe7a59e502

       AT_KEYEXCHANGE

     iisWasKey

     76944fb33636aeddb9590521c2e8815a_55eda213-55b3-42f6-b40d-23fe7a59e502

       AT_KEYEXCHANGE

     MS IIS DCOM Server

     7a436fe806e483969f48a894af2fe9a1_55eda213-55b3-42f6-b40d-23fe7a59e502

       AT_KEYEXCHANGE, AT_SIGNATURE

     Microsoft Internet Information Server

     c2319c42033a5ca7f44e731bfd3fa2b5_55eda213-55b3-42f6-b40d-23fe7a59e502

       AT_KEYEXCHANGE, AT_SIGNATURE

     NetFrameworkConfigurationKey

     d6d986f09a1ee04e24c949879fdb506c_55eda213-55b3-42f6-b40d-23fe7a59e502

       AT_KEYEXCHANGE

    CertUtil: -key command completed successfully.

    I have attempted a significant number of other commands but with no success. What are the alternative methods for Step 5?

  • The final step (9) says: Do not use this procedure if you are using certificates that are based on version 1 domain controller templates.

    Can anyone pleas explain why this shouldn't be done? What impact does it have if the certificates are removed? Bearing in mind that DCs are hard-coded to request a Domain Controller certificate in v1 format, this means that most default installations of Enterprise Root CAs will include Domain Controllers with v1 certificates issued to them.

    Should the final step just be skipped if DCs have v1 DomainController certificates?

  • I have a 2008 R2 CA and I too cannot process step 5 to view and delete the private key.  What is a procedure that works for this step?

  • BCZSM, I used the command:

    certutil -delkey le-DomainController-2b43a7e4-deee-4569-b2fd-df5a9be0fe8d

    you have to change the GUID to the proper one revealed by certutil -key

  • @João Paulo Remédio - My solution was to specify the -csp on the command line as well.

    Issuing certutil -store and then identifying the certificate provider and subject from that before running the following:

    certutil -csp "[Provider]" -delkey "[Subject]"

    I don't believe that deleting the le-DomainController* key is the correct one to delete.

    As an example: certutil -csp "Microsoft Software Key Storage Provider" -delkey "adcs-ADCS-DC1-CA" was what I ran.

    I suggest Step 5: should be changed to: certutil -csp "Microsoft Software Key Storage Provider" -key as this will list keys from the CSP defined on the command line.

  • I used João Paulo Remédio's suggestion, but for ours it was le-Machine-<the rest of the data>, not le-DomainController-<the rest of the data>.

  • Hi,

    I have certificate services running in a two node failover cluster. Can I use these steps to decommision a clustered CA? What are the additional steps associated with?

  • the only difference is that step 5 must be performed on each node.

Page 1 of 2 (13 items) 12