Remove CA from Active Directory

decommissionca01

To remove Certification Authority from Active Directory you must follow the correct steps in order to delete the CA objects and services no longer needed.

The procedure helps to properly decommission the CA and clean the Active Directory environment from the objects left during the uninstall process of the AD Certificate Services.

 

Revoke all issued certificates

Open the Certification Authority, expand the configured CA and navigate to Issued Certificates. In the right pane right click the issued certificates and select All Tasks > Revoke Certificate option.

decommissionca02

Specify a reason in the Reason code field then click Yes.

decommissionca03

The certificate is removed from the list.

decommissionca04

Right click the Revoke Certificates item and select Properties.

decommissionca05

Increase the CRL publication interval by typing a suitably long value then click OK.

decommissionca06

Now right click Revoked Certificates item and select All Tasks > Publish.

decommissionca07

Select New CRL option and click OK.

decommissionca08

In the Pending Requests folder deny any pending certificate requests right clicking the pending request then selecting All Tasks > Deny Request.

decommissionca09

 

Uninstall AD Certificate Services

From the server, open the Command Prompt and type the command:

decommissionca10

To list all key stores for the local computer, type in the Command Prompt:

decommissionca11

Delete the private key associated with the CA using the command:

certutil -delkey CertificateAuthorityName

decommissionca12

List the key stores once again to check if the CA private key has been removed.

decommissionca13

Open the Server Manager, select Roles item and click Remove Roles in the right pane.

decommissionca14

The Remove Roles Wizard opens. Click Next to continue.

decommissionca15

Uncheck Active Directory Certificate Services then click Next.

decommissionca16

Click Remove to proceed.

decommissionca17

The selected role is being removed.

decommissionca18

Click Close to exit the wizard.

decommissionca19

Click Yes to restart the server.

decommissionca20

After rebooting the server, the procedure is complete.

decommissionca21

 

Remove CA objects from Active Directory

When the CA is installed, several objects are created in the Active Directory but not removed during the uninstalling process. Only pKIEnrollmentService object is removed to prevent clients from trying enroll against the decommissioned CA.

Open the Command Prompt and type the command certutil.

decommissionca22

Open the Active Directory Site and Services and select View >Show Services Node.

decommissionca23

Navigate to Services > Public Key Services > AIA. Right click the CA object and select Delete.

decommissionca24

Click Yes to confirm deletion.

decommissionca25

Now navigate to Services > Public Key Services > CDP. Right click the container object where Certificate Services is installed and select Delete.

decommissionca26

Click Yes to confirm deletion.

decommissionca27

Click Yes to confirm.

decommissionca28

Navigate to Services > Public Key Services > Certification Authorities. Right click the CA object and select Delete.

decommissionca29

Click Yes to confirm deletion.

decommissionca30

Navigate to Services > Public Key Services > Enrollment Services. In the right pane verify that the pKIEnrollmentService object has been removed during the CA uninstall process. If the object is not deleted, right click the object, select Delete and click Yes to confirm.

decommissionca31

Navigate to Services > Public Key Services > Certificate Templates. In the right pane select a certificate and press CTRL+A to select all templates. Right click and select Delete.

decommissionca32

Click Yes to confirm deletion.

decommissionca33

 

Delete certificates published to the NtAuthCertificates object

When CA objects are deleted, also the CA certificates published to the NtAuthCertificates object have to be deleted.

With Enterprise Administrator permissions, check the full LDAP path to the NtAuthCertificates object in Active Directory with the following command:

decommissionca34

To delete certificates from within the NTAuthCertificates store, run the command:

decommissionca36

Click OK to delete the certificate.

decommissionca37

Now run the following command:

decommissionca38

Click OK to delete the certificate.

decommissionca39

 

Delete the CA database

Since the database is not removed during the Certification Services uninstall process, to remove the database delete the %systemroot%\System32\Certlog folder.

decommissionca40

 

Remove certificates from DCs

Also the certificates that were issued to Domain Controllers must be removed.

On a Domain Controller, open the Command Prompt and type the command:

decommissionca41

Certutil tries to validate all the DC certificates that are issued to the domain controllers. Certificates that do not validate are removed. The Active Directory Certificate Services has been removed from the Active Directory successfully.

firma

2 Comments

  1. Mario Paiva 27/09/2016
  2. jezrnda 04/10/2016