question

bizcntradmin-7120 avatar image
bizcntradmin-7120 asked ·

AD CS Expired Root CA

We have a 2 tier PKI environment. Every time i add a server in the domain 2 expired Root certificate appears in the Intermediate CA store of new server.

one is certificate template cross certification authority template and other is Root Certification template which are both expired

We previously have a cross certification to other PKI but its already decommission.


I would like to know how to stop new computers on getting that certificate and is there a way to cleanup the prod server who has that expired certificate?




windows-serverwindows-active-directory
1 comment
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

Thank you so much for posting here.

Have you checked the provided information? Hope it will be helpful.

It is noticed that we have posted the same issue twice. I have replied to you in another post. We could kindly have a check. Thanks.


Best regards,
Hannah Xiong

0 Votes 0 · ·

1 Answer

didier3001 avatar image
didier3001 answered ·

Hi

Did you look at the GPO targeting these computers who receive the certs?

Distribute Certificates to Client Computers by Using Group Policy

On one of the computer that receives the certs, I would run a gpresult /h from an elevated command prompt and look at the output of the html generated.


--I hope this helps. Please Accept it as an answer and "Up-Vote" the answer or message(s) that helped you so that it can help others in the community looking for help on similar topics

Regards,
Didier3001




Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.