Finding myself with a 2008 AD integrated certificate authority gone bork, I wanted to get it completely out of AD. The server was long since dead, so gracefully uninstalling Certificate Services was not an option. It’s presence wasn’t hurting anything, but if you know me at all, you know I like a clean AD.
The main steps below were taken from http://support.microsoft.com/kb/889250, but I have changed them to match up with what I did for Windows 2008. The biggest difference was that I had to go into ADSIEDIT to do most of this, instead of AD Sites & Services.
Determine the CACommonName of the CA.
If you do not remember this, create an msc, add the Certificates snap-in for your local computer, and browse down the tree to Trusted Root Certification Authorities. Expand the Certificates, and the browse through until you find the name of the failed CA.
Then follow these steps, being careful NOT to delete other PKI objects such as those from TMG or other CAs in your environment.
- Click Start, Run, then type adsiedit.msc and click OK.
- Right-click ADSI Edit, select connect to, and choose Configuration from the drop down menu for "Select a well known naming context."
- Expand Services, expand Public Key Services, and then click the AIA folder.
- In the right pane, right-click the CertificationAuthority object for your CA, click Delete, and then click Yes.
- In the left pane, click the CDPfolder.
- In the right pane, locate the container object for the server where Certificate Services is installed. Right-click the container, click Delete, and then click Yes two times.
- In the left pane, click the Certification Authorities node.
- In the right pane, right-click the CertificationAuthority object for your CA, click Delete, and then click Yes.
- In the left pane, click the Enrollment Services node.
- In the right pane, verify that the pKIEnrollmentService object for your CA was removed when Certificate Services was uninstalled. If the object is not deleted, right-click the object, click Delete, and then click Yes.
- At the root of CN=Public Key Services, find the object CN=NTAuthCertificates and access its properties. There is a multi-valued string cACertificate. Remove the entry that corresponds to your dead CA. Hopefully, you will only have one, as this is encoded. If you see multiple, you can try to figure out which is the correct one by picking it out chronologically, or by converting the encoding to ASCII characters, or perhaps you could consult the Tarot, or I Ching. Sorry, I don’t have much better advise to give on this one.
Then log on to a domain controller, open an administrative cmd prompt and run this command.
certutil -dcinfo deleteBad [enter]
Certutil.exe tries to validate all the DC certificates that are issued to the domain controllers. Certificates that do not validate are removed.
Finally, go into your default domain GPO, Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies and remove the root certificate from the list of Trusted Root Certificate Authorities. Give your clients time to refresh group policy, and you’re all set.
But since you really ought to wait for group policy to propagate before you make any other changes, you should take a few moments to yourself and resist the temptation to make more changes. Trust me, this is for your own good. Tell your boss I said so. As I was finishing this up, I overheard the word "Willoughby" and was reminded of one of my favourite episodes of The Twilight Zone. The time it takes you to enjoy the show below should be just enough time to wait for GPO propagation to complete before you do anything else.
What? It’s at least as good an excuse as "my codes compiling!"
If you found this post useful, please consider following us on twitter. You’ll be the first to learn about new posts, and, rarely, we’ll share a comedic or witty tweet. Of course, you can also leave a comment below to let us know we hooked you up, or share the love and tell your friends about us.
You might also enjoy:
{ 10 comments… read them below or add one }
I have a dead CA that I need to remove. I only have the one dead one, am I better of removing it from AD first using your steps or should I add a new one then remove the old?
Remove the dead one first…that way, you won’t have to try to figure out what pieces go with which CA. About the only way to screw this up is to select the wrong AIA or CDP for removal (which I have done in the past…don’t be that guy!) and that won’t be an issue for you if you haven’t installed the new CA yet.
Perfect!!! Thank you very much for this info.
Ran into a problem when removing the Value for the cACertificate. It basically tells me this value can not be null. Any thoughts?
Billy, which step # are you on, and were you deleting the cACertificate, or an attribute of it? You cannot have an object without a value, but you should be deleting the cACertificate itself, not just blanking the value.
i’ve also had the situation where u cant delete the cACertificate entry and it was the the only one.
the referenced http://support.microsoft.com/kb/889250 goes at it like this:
certutil -viewdelstore “ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=,DC=local?cACertificate?base?objectclass=certificationAuthority”
Then u get the GUI to select what to delete. that worked for me.
you seem to have typo on this page
5. In the left pane of the Active Directory Sites and Services MMC snap-in, click the CDPfolder.
should this be adsi edit mmc? point 7 and 9 also say the same
Hi Andy,
Thanks for point that out. You are correct, it should be adsiedit.msc. And fixed.
Ed
At step 11 above, I had multiple entries. I clicked each one, went to edit the hex strings, copied all the hex data, and pasted it into this translator:
http://www.idea2ic.com/PlayWithJavascript/hexToAscii.html
There’s a little bit of garbage left over, but it’s clear enough to see the name of the machine you are looking for easily.
Awesome tip Kyle, thanks!