How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003

Today I want to comment on the quite popular Microsoft Knowledgebase article How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server . I am referring to version 6.0 of the article with a review date of November 18th, 2008. You should be aware that the article has documentation bugs that need to be fixed. Until we are publishing a corrected version, you should consider the following information when applying the steps from the article.

  1. In Step 6 L, the article asks you to delete all certificate templates. This is misleading information because it is only appropriate when you have already deleted ALL CAs in the Active Directory Forest. If there are still enterprise CAs in operation, certificate templates must not be deleted.

  2. The article does not point out to identify all of the CA objects in Active Directory (under the KRA container, for example), so some may be left around. To clean up after a CA that left objects around in Active Directory, run the following commands to see what AD objects remain:

    certutil –ds {CACommonName}
    certutil –ds {CAMachineNetBiosName}

    For example, if the common name of the CACommonName is called CorpCA01 and the CAMachineNetBiosName is CACorpServer you would perform the following commands:

    certutil –ds CorpCA01
    certutil –ds CACorpServer

    Once you look over the list of DNs displayed, and are satisfied they are all related to the abandoned CA, you can change -ds to -dsDel and repeat the commands to delete the CA's objects with enterprise administrator permissions.

  3. In Step 6 M, the article says to delete the NTAuthCertificates object. This is wrong information because this object should never be deleted - only CA certificates should be deleted from its cACertificate attribute. Use the following command to see the full ldap path to your NtAuthCertificates object in your Active Directory.

certutil -ds -v NtAuthCertificates

With enterprise administrator permissions you can use the following command to delete certificates from within the NTAuthCertificates store:

certutil –viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key Services,...,DC=...,DC=com?base?cACertificate"

The -viewdelstore verb invokes the certificate selection U/I on the set of certificates in the specified attribute. You can view cert details, and cancel out of the selection dialog to make no change. If you select a certificate, it will be deleted when the U/I closes and the command completes execution.

To clean up the NTAuthCertificates you can also use the PKIview MMC snap-in. It is part of the Windows Server 2003 Resource Kit Tools and the Microsoft Remote Server Administration Tools in Windows Server 2008 and Windows Vista.