Checklist: Decommissioning a certification authority

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Checklist: Decommissioning a certification authority

Once a certification authority (CA) is configured and operating in an enterprise, it becomes an important security resource. The certification authority is required by existing clients to renew certificates, by new clients to issue certificates, and by users of certificates to verify the trustworthiness of issued certificates. If a CA is removed from an enterprise without following the appropriate procedure, functionality may be impaired and extensive cleanup work may be required to restore clients to functionality.

  Step Reference

Perform a backup of the certification authority (CA) database to ensure recoverability of data at a later date.

Back up a certification authority


Deny all pending certificate requests currently stored on the CA.

Review pending certificate requests


(Optional) Allow the Active Directory directory service to replicate the certificate denials and allow Group Policy to inform the clients that the certificate request is denied. The denied clients are then informed that their request was denied so they can remove the request from their list of outstanding requests.

Replication overview


Revoke the CA's certificate from its parent CA. When revoking the CA certificate, specify the reason as "Cessation of Operation."

Revoke an issued certificate


Manually publish a new certificate revocation list (CRL) to ensure the CRL contains revocation information about the CA that was recently revoked.

Manually publish the certificate revocation list


Uninstall the Certificate Services component.

Uninstall a certification authority


Remove remaining information about this CA from Active Directory.

At a command prompt, type certutil.exe -dsdel CAName and press ENTER, where CAName is the name of the CA you are removing.