• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

Remove CA from Domain in Active Directory

December 5, 2022 by Mister PKI Leave a Comment

You have likely found this article because you are attempting to remove an old CA from a domain in Active Directory. If you’re an Active Directory domain administrator you may have discovered old domains showing up as available CAs on your domain. You may also be attempting to decommission an old CA server. This article will focus on the former, but if your use case is more in line with the latter it will cover useful information for you as well. For more information on Microsoft CAs, go here.

Step 1: Revoke all issued certificates

Step 2: Uninstall AD Certificate Services from the CA server

Step 3: Remove CA objects from Active Directory

This is the step we will focus on for the purposes of this article. The use case here is an Active Directory domain administrator that has inherited a domain with an old CA that was never cleaned up properly. It has no active certificates issued, the old CA server has been decommissioned, but there is still metadata lying around on the domain for the old CA.

To show the CAs still discoverable on your domain, run the following command from the Windows command prompt:

certutil

It will display the list of CAs known to the domain. Assuming the server itself is already decommissioned, you will need to authenticate to a domain controller and clean it up from there.

On the domain controller, open the “Active Directory Site and Services” windows and select View -> Show Services Node.

Navigate to the Services -> Public Key Services folder and for each sub folder, remove the corresponding entry for the CA you are cleaning up. You should expect to see records under each of the following sub folders. Note that you should delete the records for the CA under each of the folders and not the folder itself.

  • AIA
  • CDP
  • Certificate Templates (you may not need to clean anything up under this one)
  • Certification Authorites
  • Enrollment Services
  • KRA
  • OID

Conclusion – Remove CA from domain

These were the minimum steps required to remove an old CA from your Active Directory domain. Let us know in the comments if you have any questions.

SSL Certificates

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • Remove CA from Domain in Active Directory
  • pfx password
  • pkcs12
  • Sendmail vs Postfix – Mail Transfer Agent Comparison
  • Python mock datetime now

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022