You have likely found this article because you are attempting to remove an old CA from a domain in Active Directory. If you’re an Active Directory domain administrator you may have discovered old domains showing up as available CAs on your domain. You may also be attempting to decommission an old CA server. This article will focus on the former, but if your use case is more in line with the latter it will cover useful information for you as well. For more information on Microsoft CAs, go here.
Step 1: Revoke all issued certificates
Step 2: Uninstall AD Certificate Services from the CA server
Step 3: Remove CA objects from Active Directory
This is the step we will focus on for the purposes of this article. The use case here is an Active Directory domain administrator that has inherited a domain with an old CA that was never cleaned up properly. It has no active certificates issued, the old CA server has been decommissioned, but there is still metadata lying around on the domain for the old CA.
To show the CAs still discoverable on your domain, run the following command from the Windows command prompt:
certutil
It will display the list of CAs known to the domain. Assuming the server itself is already decommissioned, you will need to authenticate to a domain controller and clean it up from there.
On the domain controller, open the “Active Directory Site and Services” windows and select View -> Show Services Node.
Navigate to the Services -> Public Key Services folder and for each sub folder, remove the corresponding entry for the CA you are cleaning up. You should expect to see records under each of the following sub folders. Note that you should delete the records for the CA under each of the folders and not the folder itself.
- AIA
- CDP
- Certificate Templates (you may not need to clean anything up under this one)
- Certification Authorites
- Enrollment Services
- KRA
- OID
Conclusion – Remove CA from domain
These were the minimum steps required to remove an old CA from your Active Directory domain. Let us know in the comments if you have any questions.
Mister PKI,
In our Ad Environment, I have found expired and non expired Certs issued by an old CA server that no longer exists. The expired cert is in the personal store on the DC’s and servers and the valid cert is in the Trusted Root certificate authorities and Intermediate Certificate Authorities stores which expire in 2116.
There is still old references to the CA in Services -> Public Key Services folder. I believe I only have 1 external website using ldaps to authenticate users to the site which is pointing to one of my dc’s. I found this out when i deleted the expired CA cert in the personal store on that specific server and users could not authenticate to that site. i resolved by pointing ldaps to a different DC. Can i use this procedure to cleanup the metadata and remove the CA without deleting the certs on the servers until i can identify any other services using the cert? Is there a way to find out what else the certs are being used? Are there any other impacts on getting rid of the CA? Thanks
John
I’m not understanding your question. In the first sentence you stated the CA server no longer exists, but in the last sentence you asked if there are other impacts on getting rid of the CA. Are you saying the CA server was decommissioned but the CA certificate itself is still valid? If so, do you have the private key of the CA? If not, I would recommend considering just swapping out the certificate on the DC and see what breaks. Short term, you could try removing the trusted CA and see what breaks, and be ready to immediately re-trust it if a critical service breaks. This obviously depends on how much risk you are able to take on, but it sounds like you are already operating in a high risk scenario using a CA that you may no longer have the private key to.
Thanks for the reply. To clarify the last sentence, “Are there any other impacts on getting rid of the CA?” I was planning on deleting the old references to the old CA using ADSI edit. It looks like the old CA was never properly decommissioned(it no longer exists) and there are expired and non expired certs that were issued by the old CA. I do not have the private key of the old CA.