Saturday, April 2, 2011

Decommission a Windows enterprise certification authority and how to remove ll related objects from Windows Server 2003

Step 1: Revoke all active certificates that are issued by the enterprise CA
1. At the CA server, log in as Domain Administrator.
2. Click "Start > Administrative Tools > Certification Authority".
3. Expand "<CA Name> > Issued Certificates".
4. At right pane, select all certificates.
5. Right-click the selected certificates, select "All Tasks > Revoke Certificate".
6. Next to "Reason code", select "Cease of Operation".

Figure 1: Cease of Operation

7. Click "Yes".

Step 2: Delete all certificate templates
1. In the "Certification Authority" console, select "Certificate Templates".
2. At right pane, select all certificate templates.
3. Right-click the selected certificate templates, select "Delete".
4. Click "Yes".

Figure 2: Certificate Templates

It can prevent users to request the certificate from the CA Server.

Step 3: Increase the CRL publication interval
1. In the "Certification Authority" console, right-click "Revoked Certificates", select "Properties".
2. Next to "CRL publication interval", type a suitably long value.

Remark: The lifetime of the Certification Revocation List (CRL) should be longer than the lifetime that remains for certificates that have been revoked.

3. Clear "Publish Delta CRLs" check box.

Figure 3: Revoked Certificates properties

4. Click "OK".

Step 4: Publish a new CRL
1. Still in "Certification Authority" console, right-click "Revoked Certificates", select "All Tasks > Publish".

Figure 4: Publish CRL

2. Select "New CRL", click "OK".

Remark: Make sure all clients can access the CDP of CRL.

Step 5: Deny any pending requests (optional)
By default, an enterprise CA does not store certificate requests. However, an administrator can change this default behavior. To deny any pending certificate requests, follow these steps:

1. Still in "Certificate authority" console, select "Pending requests" folder.
2. At right pane, select all pending requests.
3. Right-click the selected pending requests, select "All Tasks > Deny Request".

Step 6: Uninstall Certificate Services from the server
1. Launch "Command Prompt", enter "certutil -shutdown".

Figure 5: Stop certificate services

2. Enter "certutil -key" to list all the key stores for local computer.

Figure 6: List all the key

3. Enter "certutil -delkey <CA Name>" to delete the private keys associated with the CA.

Remark: <CA Name> is Windows 2003 Enterprise root CA. Therefore, the command line in this example is the following:

certutil -delkey "Windows 2003 Enterprise Root CA"

4. Make sure the private key for your CA has been deleted.
5. Use "Add\Remove Windows Components" to uninstall "Certificate Services".

Step 7: Remove CA objects from Active Directory
When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory.

When the CA is uninstalled, only the pKIEnrollmentService object is removed. The other objects are left in place because there are likely still outstanding certificates issued by the CA. In order for clients to successfully process these outstanding certificates, they need to locate the AIA and CDP paths in Active Directory. Good practice is to revoke all outstanding certificates (Reason: Cease of Operation), extend the lifetime of the CRL, and publish it in Active Directory. When those outstanding certificates are processed by the various clients, validation should fail and those certificates will not be used.

1. At Domain Controller, log in as Domain Administrator.
2. Launch "Active Directory Sites and Services".
3. At left pane, select "Active Directory Sites and Services".
4. On the menu, click "View > Show Services Node".

Figure 7: Show Services Node

5. At left pane, expand "Services > Public Key Services > AIA".
6. At right pane, delete "certificateAuthority" object for your Certification Authority.

Figure 8: certificateAuthority object

7. At left pane, select "CDP".
8. Locate the Container object for the server where Certification Services is installed. Delete the container and the objects it contains.

Figure 9: Container object

9. Select "Certification Authorities", delete "certificateAuthority" object for your Certification Authority in right pane.
10. Select "Enrollment Services", verify that the pKIEnrollmentService object for your Certification Authority was removed when Certificate Services was installed. If not, delete it.
11. Select "Certificate Template", delete all the Certificate Templates in right pane.
12. Select "Public Key Services", locate the "NTAuthCertificates" object.

Figure 10: NTAuthcertificates object

13. if there are no other Enterprise or Stand-alone CAs installed in the forest, delete the object.

Step 8: Delete the CA database
When Certification Services is uninstalled, the CA database is left intact so that the CA can be re-created on another server.

1. To remove the CA database, delete the "%systemroot%\system32\Certlog" folder.

Step 9: Domain Controller Cleanup
1. At domain Controller, log in as Domain Administrator.
2. Launch "Command Prompt", enter "certutil -dcinfo deleteBad".

Remark: Certutil.exe tried to validate all the DC certificates that are issued to the domain controllers. Certificates that do not validate are removed.


This posting is provided “AS IS” with no warranties, and confers no rights!


  1. You say - "Make sure all clients are received the latest CRL". How do I make sure of this??

    What if some machines no longer exist or people are away on vacation?

    1. Hello Max,
      Sorry for my mistake. The remark shoule be "Make sure all clients can access the CDP of CRL".

      The latest CRL was changed the interval to 5 years. If the machine is no longer exist, there is no problem.

      If people are away on vacation, I think people don't take vacation more than 5 years.