none
Remove published trusted root certificate and all related items (e.g. AIA, CDP) from Active Directory

    Question

  • Recently, I became alarmed when I noticed an unusual certificate (hereafter: "BadCert") in the Trusted Root Certification Authorities section of the Certificates MMC on a computer.  I checked several computers in our environment and BadCert was installed as a Trusted Root Certification Authority on all of them.  As I manage our PKI, this alarmed me because I definitely had nothing to do with it.

    I was able to identify the host server that seems to be responsible for it as the name of BadCert has the server hostname in its common name.  It is a Windows Storage Server 2012 R2 Storage Server Essentials server that one of our Systems Administrators (who also has Domain Admin rights) set up.  I asked him about it, and he does not know how or why a certificate related to this server ended up being pushed out as a trusted root certification authority.

    I determined that BadCert is not being pushed out via Group Policy.  Instead, it appears to be published in Active Directory.*  At this point, I believe the prudent thing to do is to remove/unpublish this certificate in Active Directory.  The thing is, the originating server does not have the Active Directory Certificate Services role installed and does not have BadCert installed in its "Personal" certificate store.  It does have the Windows Server Essentials Experience role installed but the configuration is not completed.

    I'm not sure how to proceed.  Can anyone assist?

    * I see entries related to BadCert under "CN=Public Key Services,CN=Services,CD=Configuration,DC=<subdomain>,DC=<domain>,DC=<root>.  For instance there are items related to BadCert under the "CN=AIA", "CN=CDP", "CN=Certification Authorities", and "CN=KRA" RDNs under that container.

    Wednesday, November 30, 2016 4:23 PM

Answers

  • Hi Andy,

    AIA and CDP entries are automatically installed into Active Directory if an Enterprise (Root or Subordinate) CA is installed and the user doing so has sufficient rights to the Configuration Partition of Active Directory (usually Enterprise Admin, though it also works with some delegation permissions). You can't take a look anymore at the CA, but normally I would expect the HKLM\System\CurrentControlSet\Services\ÇertSvc\Configuration\<CA Common Name>\CAType to be set to 0 (Enterprise Root CA) or 1 (Enterprise Subordinate CA) if I see an AIA or CDP suddenly pop-up.

    Uninstalling the CA will not remove the AIA or CDP entries, because the uninstalled CA may have issued certificates that still depend on AIA and/or CDP for validation. In your case that shouldn't/doesn't apply, as the CA was installed by accident and never issued certificates. So you should be able to safely remove the entries using any means convenient to you (Powershell/ADSI Edit/Active Directory Sites and Services/...). All of the entries are in the CN=Public Key Services,CN=Services,CN=Configuration area of Active Directory, but be careful if you have legitimate CA's, as their entries will be there too.

    The following article may help: https://support.microsoft.com/en-us/kb/889250

    Kind Regards,

    Friday, December 2, 2016 1:33 PM

All replies

  • Hi Scott,

    >> It does have the Windows Server Essentials Experience role installed but the configuration is not

    As far as I know, after fully configuration, the essential server will automatically installed a CA into it.

    See figure below:

    You could try to delete the data in ADSI database if you don't want to use this cert anymore.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 1, 2016 4:19 AM
    Moderator
  • If I remove that role, will it remove the CA and its enterprise configuration as well?

    Edit: Well... I removed the Windows Server Essentials Experience role and it did not remove the trusted root certificate from Active Directory.  I'll have to figure out where all the pieces are in order to manually excise them.

    It also created a managed service account called "ServerAdmin" that it puts in the Domain Admins and Enterprise Admins group.  It didn't remove those either when the role was removed from the server.

    Unbelievable.  I've had to instruct the team to never install a Windows Server Essentials server on our domain or to install the Windows Server Essentials Experience.


    Thursday, December 1, 2016 1:20 PM
  • Hi Scott,

    >>Unbelievable.  I've had to instruct the team to never install a Windows Server Essentials server on our domain or to install the Windows Server Essentials Experience.

    I installed the essential on a separate domain and used for some specific purpose, didn't find any issues.

    Have a nice day!

    If you have any updates, welcome to feedback here.

    Best regards,

    Andy



    Friday, December 2, 2016 4:31 AM
    Moderator
  • Hi Andy,

    AIA and CDP entries are automatically installed into Active Directory if an Enterprise (Root or Subordinate) CA is installed and the user doing so has sufficient rights to the Configuration Partition of Active Directory (usually Enterprise Admin, though it also works with some delegation permissions). You can't take a look anymore at the CA, but normally I would expect the HKLM\System\CurrentControlSet\Services\ÇertSvc\Configuration\<CA Common Name>\CAType to be set to 0 (Enterprise Root CA) or 1 (Enterprise Subordinate CA) if I see an AIA or CDP suddenly pop-up.

    Uninstalling the CA will not remove the AIA or CDP entries, because the uninstalled CA may have issued certificates that still depend on AIA and/or CDP for validation. In your case that shouldn't/doesn't apply, as the CA was installed by accident and never issued certificates. So you should be able to safely remove the entries using any means convenient to you (Powershell/ADSI Edit/Active Directory Sites and Services/...). All of the entries are in the CN=Public Key Services,CN=Services,CN=Configuration area of Active Directory, but be careful if you have legitimate CA's, as their entries will be there too.

    The following article may help: https://support.microsoft.com/en-us/kb/889250

    Kind Regards,

    Friday, December 2, 2016 1:33 PM
  • Thanks for your help.  So basically I just look for anything under "CN=Public Key Services,CN=Services,CN=Configuration" that seems to have "BadCert" in the name.  Easy enough.

    Tuesday, December 6, 2016 1:36 PM