question

Ben-5025 avatar image
0 Votes"
Ben-5025 asked VickyWang-MFST answered

Certification Authority Removal/Migration query

Hi

So we have a Domain Controller with a certification authority which looks as though it was installed for a specific support tool as in the CA name it mentions the tool in this format: SERVERNAME-CA-SOFTWARE.

First, how do i know that this is actually being used and secondly, if it isnt can it be removed. all the devices on the network seem to have this certificate which runs from 2016 (which is when it was installed) to 2021. in the certification authority MMC console the only certificates that are issued are to domain controllers using the Domain Controller Template. there also seems to be one user.

My preference would be to remove this Certificate Authority set up and create a new one otherwise i'll need to migrate it if it is being used as I need to decommission the server that its on.

looking at this page: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

I do not see any of the objects under step 6 within AD so I'm not sure it was even set up correctly as this was setup before I was an employee at the location.

From what I can tell is that they installed it using these instructions
http://gregtechnobabble.blogspot.com/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html

windows-serverwindows-active-directorywindows-server-securitywindows-server-2012
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered Crypt32 commented

Please follow this guide (which is an updated version of Microsoft Docs article): https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx

If it is Enterprise CA, then there should be objects in AD.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, Thanks for that, Would this affect any Active Directory functionality? As I'm just not sure any of this is even in use as its installed on a domain controller it just makes me a bit more wary of removing this stuff as I don't want it to affect any of the rest of the infrastructure. furthermore where am I able to check which type of CA it is as I don't see much information within the certificate itself (within the root CA or the intermediate CA stores)

i do see the server CA within the AD sites and services console

The main concern is any negative or adverse effects on our infrastructure

0 Votes 0 ·

Based on your information, I can conclude that CA is not used, so you can safely remove and decommission it.

0 Votes 0 ·
VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered Ben-5025 commented

Hi,

Thanks for the update

》》Would this affect any Active Directory functionality?

base on my knowladage, Should have no effect.

Hope this information can help you
Best wishes
Vicky



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, is there any documention anywhere that could confirm this?

0 Votes 0 ·
VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,


Just checking in to see if the information provided was helpful.

Please let us know if you would like further assistance.


Best Regards,
Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.