question

jeffmcnabney-8287 avatar image
0 Votes"
jeffmcnabney-8287 asked ClementBETACORNE commented

Removing Certificate Authority impact on domain controller

Removing CA on retiring server 12r2 DC. There are 4 certificates with outstanding expirations pending in 2022/2023. One webcert for an exchange server that is using a separate 3rd party ssl certificate for all its services, however the certificate is still installed on the server itself with some services, even though the 3rd party is the primary one. Can i revoke that cert? Will it force the exchange server to spit up error messages, or should i remove it from the Exchange server first? Then there are three certs for each of the existing domain controllers, including the one to be retired. If i revoke all the certs, what side effects might they have on the DC's? Anything?

I've never been sure what they are required for on DC's in this circumstance.

windows-server-security
· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

joyceshen-MSFT avatar image joyceshen-MSFT ·

Hi @jeffmcnabney-8287

From Exchange server side, I would suggest you firslty check this link which introduced about How to Remove an SSL Certificate from Exchange Server 2013, check the services binded to your CA certificates.

Set the parameter -Services None to your CA certificates to see if they affect your Exchange service, make sure you could completely replace/get rid of these certificates then remove them. And then you can decomission your CA.

And I also find an official document here gives steps How to decommission a Windows enterprise certification authority and remove all related objects for your reference.

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
jeffmcnabney-8287 avatar image jeffmcnabney-8287 joyceshen-MSFT ·

The Exchange side i will deal with. My bigger concern is the 3 certificates that are issued to the 3 domain controllers. Does AD automatically create and assign these? We have never used the CA for anything except signing certs for Exchange, which we no longer do, and would like to remove the service entirely, since the hardware is being retired. What do i do about the certificates issued to the domain controllers? What are they being used for and can i revoke them safely to decommission the device?

0 Votes 0 ·
joyceshen-MSFT avatar image joyceshen-MSFT jeffmcnabney-8287 ·

Hi @jeffmcnabney-8287

I totally understand your concern, however your question now is more related to windows server and AD, so I would add the related tags to your thread and the engineers there will give you professional support.

Thanks for your understanding!

0 Votes 0 ·
Show more comments

0 Answers