Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

by Leave a Comment

You have likely found this article because you are attempting to remove an old CA from a domain in Active Directory. If you’re an Active Directory domain administrator you may have discovered old domains showing up as available CAs on your domain. You may also be attempting to decommission an old CA server. This article will focus on the former, but if your use case is more in line with the latter it will cover useful information for you as well. For more information on Microsoft CAs, go here.

Step 1: Revoke all issued certificates

Step 2: Uninstall AD Certificate Services from the CA server

Step 3: Remove CA objects from Active Directory

This is the step we will focus on for the purposes of this article. The use case here is an Active Directory domain administrator that has inherited a domain with an old CA that was never cleaned up properly. It has no active certificates issued, the old CA server has been decommissioned, but there is still metadata lying around on the domain for the old CA.

To show the CAs still discoverable on your domain, run the following command from the Windows command prompt:

certutil

It will display the list of CAs known to the domain. Assuming the server itself is already decommissioned, you will need to authenticate to a domain controller and clean it up from there.

On the domain controller, open the “Active Directory Site and Services” windows and select View -> Show Services Node.

Navigate to the Services -> Public Key Services folder and for each sub folder, remove the corresponding entry for the CA you are cleaning up. You should expect to see records under each of the following sub folders. Note that you should delete the records for the CA under each of the folders and not the folder itself.

  • AIA
  • CDP
  • Certificate Templates (you may not need to clean anything up under this one)
  • Certification Authorites
  • Enrollment Services
  • KRA
  • OID

Conclusion – Remove CA from domain

These were the minimum steps required to remove an old CA from your Active Directory domain. Let us know in the comments if you have any questions.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *