How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server (889250)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server

SUMMARY

When you uninstall a certification authority (CA), the certificates that were issued by the CA are typically still outstanding. If the outstanding certificates are processed by the various Public Key Infrastructure client computers, validation will fail, and those certificates will not be used.

This article describes how to revoke outstanding certificates and how to complete various other tasks that are required to successfully uninstall a CA. Additionally, this article describes several utilities that you can use to help you remove CA objects from your domain.

IN THIS TASK

INTRODUCTION

This step-by-step article describes how to decommission a Microsoft Windows enterprise CA and how to remove all related objects from the Active Directory directory service.

back to the top

Step 1: Revoke all active certificates that are issued by the enterprise CA

  1. Click Start, point to Administrative Tools, and then click Certification Authority.
  2. Expand your CA, and then click the Issued Certificates folder.
  3. In the right pane, click one of the issued certificates, and then press CTRL+A to select all issued certificates.
  4. Right-click the selected certificates, click All Tasks, and then click Revoke Certificate.
  5. In the Certificate Revocation dialog box, click to select Cease of Operation as the reason for revocation, and then click OK.
back to the top

Step 2: Increase the CRL publication interval

  1. In the Certification Authority Microsoft Management Console (MMC) snap-in, right-click the Revoked Certificates folder, and then click Properties.
  2. In the CRL Publication Interval box, type a suitably long value, and then click OK.
Note The lifetime of the Certificate Revocation List (CRL) should be longer than the lifetime that remains for certificates that have been revoked.

back to the top

Step 3: Publish a new CRL

  1. In the Certification Authority MMC snap-in, right-click the Revoked Certificates folder.
  2. Click All Tasks, and then click Publish.
  3. In the Publish CRL dialog box, click New CRL, and then click OK.
back to the top

Step 4: Deny any pending requests

By default, an enterprise CA does not store certificate requests. However, an administrator can change this default behavior. To deny any pending certificate requests, follow these steps:
  1. In the Certification Authority MMC snap-in, click the Pending Requests folder.
  2. In the right pane, click one of the pending requests, and then press CTRL+A to select all pending certificates.
  3. Right-click the selected requests, click All Tasks, and then click Deny Request.
back to the top

Step 5: Uninstall Certificate Services from the server

  1. To stop Certificate Services, click Start, click Run, type cmd, and the click OK.
  2. At the command prompt, type certutil -shutdown, and then press ENTER.
  3. To list all key stores for the local computer, type certutil -key at the command prompt. This command will display the names of all the installed cryptographic service providers (CSP) and the key stores that are associated with each provider. Among the listed key stores, you will see the name of your CA listed several times, as shown in the following example.
    (1)Microsoft Base Cryptographic Provider v1.0:
  1a3b2f44-2540-408b-8867-51bd6b6ed413
  MS IIS DCOM ClientSYSTEMS-1-5-18
  MS IIS DCOM Server
  Windows2000 Enterprise Root CA
  MS IIS DCOM ClientAdministratorS-1-5-21-436374069-839522115-1060284298-500

  afd1bc0a-a93c-4a31-8056-c0b9ca632896
  Microsoft Internet Information Server
  NetMon
  MS IIS DCOM ClientAdministratorS-1-5-21-842925246-1715567821-839522115-500

(5)Microsoft Enhanced Cryptographic Provider v1.0:
  1a3b2f44-2540-408b-8867-51bd6b6ed413
  MS IIS DCOM ClientSYSTEMS-1-5-18
  MS IIS DCOM Server
  Windows2000 Enterprise Root CA
  MS IIS DCOM ClientAdministratorS-1-5-21-436374069-839522115-1060284298-500

  afd1bc0a-a93c-4a31-8056-c0b9ca632896
  Microsoft Internet Information Server
  NetMon
  MS IIS DCOM ClientAdministratorS-1-5-21-842925246-1715567821-839522115-500
  4. Delete the private key that is associated with the CA. To do this, type the following at a command prompt:

    certutil -delkey CertificateAuthorityName

    Note If your CA name contains spaces, enclose the name in quotation marks.

    In this example, the CertificateAuthorityName is Windows2000 Enterprise Root CA. Therefore, the command line in this example is the following:

    certutil -delkey "Windows2000 Enterprise Root CA"

  5. List the key stores again to verify that the private key for your CA has been deleted.
  6. After you delete the private key for your CA, uninstall Certificate Services. To do this, follow these steps:
    1. Close the Certification Authority MMC snap-in if it is still open.
    2. Click Start, point to Control Panel, and then click Add or Remove Programs.
    3. Click Add/Remove Windows Components.
    4. In the Components box, click to clear the Certificate Services check box, click Next, and then follow the instructions in the Windows Components Wizard to complete the removal of Certificate Services.
back to the top

Step 6: Remove CA objects from Active Directory

When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory. These objects are the following:
  • certificateAuthority object
    • Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
    • Contains the CA certificate for the CA.
    • Published Authority Information Access (AIA) location.
  • crlDistributionPoint object
    • Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRootDomain.
    • Contains the CRL periodically published by the CA.
    • Published CRL Distribution Point (CDP) location
  • certificationAuthority object
    • Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
    • Contains the CA certificate for the CA.
  • pKIEnrollmentService object
    • Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
    • Created by the enterprise CA.
    • Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.
When the CA is uninstalled, only the pKIEnrollmentService object is removed. This prevents clients from trying to enroll against the decommissioned CA. The other objects are retained because certificates that are issued by the CA are probably still outstanding. These certificates must be revoked by following the procedure in the "Step 1: Revoke all active certificates that are issued by the enterprise CA" section.

For Public Key Infrastructure (PKI) client computers to successfully process these outstanding certificates, the computers must locate the Authority Information Access (AIA) and CRL distribution point paths in Active Directory. It is a good idea to revoke all outstanding certificates, extend the lifetime of the CRL, and publish the CRL in Active Directory. If the outstanding certificates are processed by the various PKI clients, validation will fail, and those certificates will not be used.

If it is not a priority to maintain the CRL distribution point and AIA in Active Directory, you can remove these objects. Do not remove these objects if you expect to process one or more of the formerly active digital certificates.

To remove all Certification Services objects from Active Directory, follow these steps:
  1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. Click the View menu option, and then click Show Services Node.
  3. Expand Services, expand Public Key Services, and then click the AIA folder.
  4. In the right pane, right-click the CertificationAuthority object for your CA, click Delete, and then click Yes.
  5. In the left pane of the Active Directory Sites and Services MMC snap-in, click the CDP folder.
  6. In the right pane, locate the container object for the server where Certificate Services is installed. Right-click the container, click Delete, and then click Yes two times.
  7. In the left pane of the Active Directory Sites and Services MMC snap-in, click the Certification Authorities node.
  8. In the right pane, right-click the CertificationAuthority object for your CA, click Delete, and then click Yes.
  9. In the left pane of the Active Directory Sites and Services MMC snap-in, click the Enrollment Services node.
  10. In the right pane, verify that the pKIEnrollmentService object for your CA was removed when Certificate Services was uninstalled. If the object is not deleted, right-click the object, click Delete, and then click Yes.
  11. In the left pane of the Active Directory Sites and Services MMC snap-in, click the Certificate Templates folder.
  12. In the right pane, click a certificate template, and then press CTRL+A to select all templates. Right-click the selected templates, click Delete, and then click Yes.

    Important If the templates are accidentally deleted, make sure that you are logged on to a server that is running Certificate Services as Enterprise administrator. At a command prompt, type cd %windir%\system32, press ENTER, type regsvr32 /i:i /n /s certcli.dll, and then press ENTER. This will re-create the certificate templates in Active Directory.
  13. In the left pane of the Active Directory Sites and Services MMC snap-in, click the Public key Services folder, right-click the NTAuthCertificates object, click Delete, and then click Yes.

    Important If other enterprise or stand-alone CAs are installed in the forest, do not delete this object.
back to the top

Step 7: Delete the CA database

When Certification Services is uninstalled, the CA database is left intact in case the CA is to be re-created on another server.

To remove the CA database, delete the %systemroot%\System32\Certlog folder.

back to the top

Step 8: Clean up domain controllers

After the CA has been uninstalled, the certificates that have been issued to all the domain controllers must be removed. To remove certificates that are issued to domain controllers, use the Dsstore.exe utility from the Microsoft Windows 2000 Resource Kit.

To remove old domain controller certificates, follow these steps:
  1. Click Start, click Run, type cmd, and then press ENTER.
  2. On a domain controller, type dsstore -dcmon at the command prompt, and then press ENTER.
  3. Type 3, and then press ENTER. This choice will delete all certificates on all domain controllers.

    Note The Dsstore.exe utility will try to validate domain controller certificates that are issued to each domain controller. Certificates that do not validate are removed from the respective domain controller.
At this point, you can reinstall Certificate Services. After the installation is finished, the new root certificate will be published to Active Directory. When the domain client computers update their security policy, the computers will automatically download the new root certificate into their trusted root stores.

To force application of the security policy, follow these steps:
  1. Click Start, click Run, type cmd, and then press ENTER.
  2. At a command prompt, type the following:
    Windows 2000

    secedit /refreshpolicy machine_policy /enforce


    Windows Server 2003

    gpupdate /force

back to the top

MORE INFORMATION

Utilities to help you remove CA objects

Windows Server 2003 Resource Kit tools include utilities to help you remove CA objects from the domain.

The Certutil.exe utility

The Windows Server 2003 version of the Certutil.exe utility can be used to remove both Windows Server 2003 and Windows 2000 CAs from Active Directory. To remove a CA from Active Directory, type the following at a command prompt:

certutil -dsdel CA Name

In this example, the CA name is Windows2000 Enterprise Root CA. Therefore, the command line in this example is the following:

certutil -dsdel "Windows2000 Enterprise Root CA"


Note If your CA name contains spaces, you must enclose the name in quotation marks.

The Pkiview.msc utility

This graphical MMC snap-in can be used to view, add, and remove certificates and objects from Active Directory. To use the Pkiview.msc utility, follow these steps:
  1. Click Start, click Run, type MMC, and then click OK.
  2. Click File, click Open, and then locate the folder where the Pkiview.msc utility is installed.
  3. Right-click the root node (Enterprise PKI), and then click Manage AD Containers.
  4. Click each tab, and then remove all references to the decommissioned CA.
Note These utilities work for both Windows 2000 and Windows Server 2003 enterprise and stand-alone CAs.

For additional information about how to obtain the Windows Server 2003 Resource Kit Tools, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en

back to the top
Modification Type:MajorLast Reviewed:4/26/2006
Keywords:kbHOWTOmaster kbCertServices kbhowto KB889250 kbAudEndUser kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.