22 Responses to Manually remove old CA references in Active Directory

  1. eric says:

    THANK YOU!!! Had to rebuild my PKI deployment and was beating my head against the wall trying to figure out where the old certs were coming from.

  2. dinero says:

    Hello ,
    We have only one CA ( Ent. Root CA) issuing all certs.I have setup a new Ent. subordinate CA , and when I requested computer cert from a member server , the request was going to Sub CA instead of Root CA..

    When i disable computer template on the subordinate CA , and submit new request from member server , the request is failing saying template is not published on sub CA …BUT the template is published on Root CA.

    How do we tell domain member servers to request cert from Root CA , when template is not available on Sub CA.

    I was planning to set the registry flag to enable SAN certs on subordinate CA , and disable standard templates and configure computer template to require CA approval.. but with the above behavior that may break the auto enroll process for computer and user certs , as member servers are requesting certs from Sub CA instead of Root CA

    Is the above behavior expected ? Any suggestions ?

    • Tom Aafloen says:

      Hello,

      It is VERY unusual to have both a Root CA and an Issuing CA online and both giving out leaf certificates. Any reason for doing it this way? The most common PKI setup is to have one offline Root CA that ONLY signs SubCA certificate requests from one or more online Issuing CAs. There are of course even more complex PKI setups as well.

      That being said, when a client wants to autoenroll it looks in AD to see which templates they have permission to autoenroll from. Then they look in the “Enrollment Services” container in AD to see which CAs actually publish those templates. If more than one CA publish the same template they chose only one of the CAs, they never enroll a certifikate from a template they already have a valid certifivate from. So the fact that the computer cert was coming from the SubCA was probably random, it could also have come from the RootCA.

      If you manually enroll a certificate via MMC you should be able to choose which of the CA-servers (that are publishing the template in question) you want to enroll from.

      Did you delete the old computer certificate, revoke it on the CA or try to re-enroll from the existing certificate?

      I would NOT recommend modifying the CA server to enable the flag EDITF_ATTRIBUTESUBJECTALTNAME2. This can be abused, see this blog post:
      https://blog.css-security.com/blog/hidden-dangers-certificate-subject-alternative-names-sans

      The CA can still issue certificates with SAN, by using certificate extensions instead of request attributes. See more detailes here:
      https://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx

  3. Tom
    I have had an issue with an 2012 server that has a domain migrated from a previous sbs 2011 server. They never uninstalled the CA role before they decommissioned the sbs and drpromo’d to remove from AD. Now the 2012 server and clients are looking for a long gone DC to renew Certs and causing Errors for CertificateServiceClient-AutoEnrollment Event ID 6 and 13.

    The old DC is long gone years ago, so can these steps be used to safely remove all the references to the CERT that should have been reomoved properly? If so will it affect AD or the clients in anyway? I have a few windows 10 pcs that no say Certificate expired when they start up.

    thanks

    • Tom Aafloen says:

      Yes, these steps could be used to remove any remains of a no-longer-existing CA server, regardless of if it was installed on a DC, SBS or a dedicated server. Be sure NOT to remove any object related to a any new CA servers though.
      The affect it will have on the clients/servers is that they will no longer find references to that server during auto enrollment process and will therefor no longer try (and fail).
      Expired certs is natural, since you have not renewed or issued them for a long time. But do they say it with some sort of dialog, or is it just in the event log?
      Feel free to share your results here 🙂

  4. Grae says:

    Thanks for this – I replaced an old SBS server with a plain old DC and Exchange setup – but that SBS had been an unused CA, and although I removed that before demoting and removing it, the other DCs were creating warnings constantly trying to re-register their certs.

  5. Great article. Helped me a lot in getting rid of those old certificates in the enterprise ca certificate store.

  6. David Amos says:

    We had an SBS server that was removed (and correctly according to MS intructions), and replaced with 2008 R2 DC and separate Exchange, the only certificate on the new DC is the old SBS certificate, is it ok to remove this and have no AIS PKS on the DC?

    • Tom Aafloen says:

      Hi David.
      It’s hard to be sure without more information. What type of certificate is present on the new DC?
      My advice would be to make a backup of the certificate (including the private key), just in case, and then delete it. IF issues occur, just reimport it again.
      What do you mean by AIS PKS?

  7. STGdb says:

    Can you delete all of the entries in the OID container as well? I have some entries in there that go back quite a few years (and this is a new “test” PKI deployment that I want to rebuild). Thanks

    • Tom Aafloen says:

      The OID container contains many default OIDs, such as Server Authentication, Client Authentication etc. Sure, you should be able to delete them and recreate the default ones with the command certutil -installdefaulttemplates, but I have never done this.

  8. Martin Onley says:

    Hi Tom,
    Many thanks for this. I have a question relating to the NtAuthCertificates object – if you do certutil -viewstore would you expect to see the certificate you’re looking to remove in the list? Only when I do this, the certificate from our dead CA isn’t listed, equally I’d expect to see a cert relating to our new CA, that’s not displayed either
    Many thanks
    Martin

    • Tom Aafloen says:

      Hi Martin!
      The Enterprise CA certificate is added to the NtAuthCertificates container in AD during CA install. Domain Controllers then look in that AD container during smart card logon verification. But that certificate is not propagated to the NtAuthCertificates container locally on clients/servers. That certificate will however be propagated to the Intermediate Certification Authorities container on clients.
      To view/edit the NtAuthCertificates container in AD, start pkiview.msc, right-click Enterprise PKI, choose Manage AD Containers and select the tab NTAuthCertificates.
      Hope that helped!

      • Martin Onley says:

        Hi Tom,
        Many thanks for the prompt reply – doing as you suggested only shows the cert for the new CA server so it looks like there’s nothing else to clean up
        Thanks once again!
        Martin

  9. Todd Schmitt says:

    I followed the procedure outlined in this article. We too had a CA that had long since been decommissioned. All of the issued Certs (Root, Intermediate and machine) are expired. I have not yet installed a new CA. I notice in AD Sites and services that there are 31 objects in the Certificate Templates folder in AD Sites and Services. Is it OK to delete the objects? There is also an object called “NTAuthCertificates” in the root of the Public Key Services folder. Can this object be deleted?
    Lastly, am I free to delete all existing Computer, Intermediate and Root Certs that were issued by the old decommissioned CA?

    • Tom Aafloen says:

      Hi Todd!

      I generally do NOT delete objects in the Certificate Templates container. I rather install a new Issuing CA (without loading the default templates), and only publish the Certificate Templates that I know I want to use. Remeber that certificate templates are not stored by CA servers but rather by AD, and each Issuing CA then choose which of them they publish. There is no way to use a certificate template that no Issuing CA is publishing.

      By technically you can delete them. A new CA installation will re-add them, or you can add them manually by running “certutil -installdefaulttemplates”.

      If you are absolutley sure that there are no more certificates stored in the object called NTAuthCertificates, you could delete it, but if you do not see any certificates by running pkiview.msc, right-clicking Enterprise PKI, choosing Manage AD Containers and select the tab NTAuthCertificates, there is no need to delete the object.

      Since the old Root CA certificate has expired, all issuing and leaf certificate will also have expired. So yes, you can delete anything that chains to that expired Root CA.

      • Todd Schmitt says:

        Tom,
        I really want to thank you for your prompt reply!

        I have now installed a non-domain joined Root CA and created Root CRL and Cert for my domain. (This Root CA will then be shut down) I will then install a domain joined Sub-Ca, copy the Root Cer and CRL to it, and publish the Root CRL and AIA to Active directory. When the new Sub-CA starts publishing, will it simply overwrite the old certs in my AD?

        Thank you in advance!

      • Tom Aafloen says:

        Hi,

        You do not actually need to copy the Root CA cert and CRL files to the Issuing CA server, any domain joined computer will work (including the Issuing CA).

        When the Sub-CA is installed it will publish its own certificate and CRL to AD (you need to copy the files to any HTTP locations you configure, this is not automatic).

        No certificates in AD will be overwritten, it will only add its own.

  10. Jaspreet says:

    Hello ,

    We have one Ent. Root CA issuing all certs. I have setup a new Ent. subordinate CA , and when I requested computer/user cert from another server or Domain controller itself , the request is going to Root CA instead of Sub CA.

    What could be the issue and how can I rectify it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s