Install a CA using an existing certificate RRS feed

  • Question

  • When I install a new CA, if I select the "use an existing private key" / "select a certificate and use its associated private key", I'm shown a list of certificates, which are the certificates of the CAs I installed previously on my test server.

    Where are those certificates taken from, i.e. how is that list populated?

    I thought those should be in some certificate store, but after I deleted them from the computer certificate store they still appear in the list...


    Paolo Tedesco - http://cern.ch/idm

    Monday, March 11, 2013 4:07 PM


All replies

  • Hi Paolo,

    Thanks for posting in Microsoft TechNet forums.

    The following link might be useful to you:

    Certificate stores




    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Tuesday, March 12, 2013 2:10 AM
  • Hi Kevin,

    Sorry, but I don't see how the link you provided answers my question.


    Paolo Tedesco - http://cern.ch/idm

    Tuesday, March 12, 2013 8:09 AM
  • The certificates should be coming from the Active Directory just as the templates are in the Active Directory.

    You might use adsi-edit tool to browse the Active Directory objects.  Perhaps under Configurations/Services/Public Key Services/Certification Authority.  Check the properties of the CA object and you may see the certificates in the CACertificates parameter.

    • Proposed as answer by 朱鸿文 Thursday, March 21, 2013 2:21 AM
    Tuesday, March 12, 2013 9:56 PM
  • Hi Paolo,

    You may want to check this out. If you're storing the private keys in the local computer, these keys are usually stored at:
    %systemdrive%\ProgramData\Microsoft\Crypto\RSA\MachineKeys\<key container>

    To completely, remove the private keys and the certificates, you need to first remove the private keys and then delete them from the certificate store using:

    certutil.exe -delkey <keycontainername>

    You can also refer to the link below on how to decommission a windows CA:



    Cheers, Ramin

    • Proposed as answer by 朱鸿文 Thursday, March 21, 2013 2:21 AM
    • Marked as answer by Paolo Tedesco Thursday, March 21, 2013 7:56 AM
    Wednesday, March 13, 2013 7:42 AM
  • Hi Emilio,

    Thank you very much for your help.


    Paolo Tedesco - http://cern.ch/idm

    Thursday, March 21, 2013 8:03 AM