question

GreggHughes-3883 avatar image
0 Votes"
GreggHughes-3883 asked GreggHughes-3883 commented

Decommissioning CA - will removing role delete Trusted Root Certificate and Trusted Intermediate Certificates?

Good morning, all!

I'm nearing the end of decommissioning an old Enterprise CA in favor of a new two-tier infrastructure. Question: if I uninstall the role from the old CA server, does that automagically delete the old CA certificates from Trusted Root Certificates and Trusted Intermediate Certificates in all domain certificate stores? Or will I still have the old certs in the Trusted stores to clean up as needed?

The autoenroll certificates have already been replaced, will manually-enrolled certificates remain in the Personal store after decommissioning the CA that issued them?

Thanks!

windows-server-security
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GreggHughes-3883 avatar image GreggHughes-3883 ·

Update - I tried this in a lab environment and in that environment removing the CA role DID remove the certs from the Intermediate and Trusted Root containers. Can anyone confirm?

0 Votes 0 ·
GreggHughes-3883 avatar image GreggHughes-3883 GreggHughes-3883 ·

Addendum - the procedure removed certificates from domain controllers but not from member servers. Interesting.....

0 Votes 0 ·
FanFan-MSFT avatar image FanFan-MSFT GreggHughes-3883 ·

Hi,
Did you follow the steps in the following link?
From the research, we need to remove the certificates issued by the CA manually after remove the ADCS from the DCs.
https://docs.microsoft.com/en-US/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

I will do a lab in my lab ,un-install the CA role, and check the result.
I will update here!

Best Regards,

0 Votes 0 ·

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered GreggHughes-3883 commented

Hi,
I completed the remove operation.
As you mentioned the root certificate on the DC in both the Trusted Root Certificate and Trusted Intermediate Certificates will be removed.

The root certificates on the domain member in the Trusted Intermediate Certificates will be removed too, but certificate in the Trusted Root Certificate will be kept.(Only the first CA certificate will be kept, if you renewed the ca and have some renewed CA certificates , they will be removed.)

Best Regards,

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GreggHughes-3883 avatar image GreggHughes-3883 ·

Thanks for the confirmation! I didn't look that closely at the renewed certs; this is a sandbox and doesn't get a lot of traffic.

g

0 Votes 0 ·