27 Responses to Manually remove old CA references in Active Directory

  1. eric says:

    THANK YOU!!! Had to rebuild my PKI deployment and was beating my head against the wall trying to figure out where the old certs were coming from.

  2. dinero says:

    Hello ,
    We have only one CA ( Ent. Root CA) issuing all certs.I have setup a new Ent. subordinate CA , and when I requested computer cert from a member server , the request was going to Sub CA instead of Root CA..

    When i disable computer template on the subordinate CA , and submit new request from member server , the request is failing saying template is not published on sub CA …BUT the template is published on Root CA.

    How do we tell domain member servers to request cert from Root CA , when template is not available on Sub CA.

    I was planning to set the registry flag to enable SAN certs on subordinate CA , and disable standard templates and configure computer template to require CA approval.. but with the above behavior that may break the auto enroll process for computer and user certs , as member servers are requesting certs from Sub CA instead of Root CA

    Is the above behavior expected ? Any suggestions ?

    • Tom Aafloen says:

      Hello,

      It is VERY unusual to have both a Root CA and an Issuing CA online and both giving out leaf certificates. Any reason for doing it this way? The most common PKI setup is to have one offline Root CA that ONLY signs SubCA certificate requests from one or more online Issuing CAs. There are of course even more complex PKI setups as well.

      That being said, when a client wants to autoenroll it looks in AD to see which templates they have permission to autoenroll from. Then they look in the “Enrollment Services” container in AD to see which CAs actually publish those templates. If more than one CA publish the same template they chose only one of the CAs, they never enroll a certifikate from a template they already have a valid certifivate from. So the fact that the computer cert was coming from the SubCA was probably random, it could also have come from the RootCA.

      If you manually enroll a certificate via MMC you should be able to choose which of the CA-servers (that are publishing the template in question) you want to enroll from.

      Did you delete the old computer certificate, revoke it on the CA or try to re-enroll from the existing certificate?

      I would NOT recommend modifying the CA server to enable the flag EDITF_ATTRIBUTESUBJECTALTNAME2. This can be abused, see this blog post:
      https://blog.css-security.com/blog/hidden-dangers-certificate-subject-alternative-names-sans

      The CA can still issue certificates with SAN, by using certificate extensions instead of request attributes. See more detailes here:
      https://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx

  3. Tom
    I have had an issue with an 2012 server that has a domain migrated from a previous sbs 2011 server. They never uninstalled the CA role before they decommissioned the sbs and drpromo’d to remove from AD. Now the 2012 server and clients are looking for a long gone DC to renew Certs and causing Errors for CertificateServiceClient-AutoEnrollment Event ID 6 and 13.

    The old DC is long gone years ago, so can these steps be used to safely remove all the references to the CERT that should have been reomoved properly? If so will it affect AD or the clients in anyway? I have a few windows 10 pcs that no say Certificate expired when they start up.

    thanks

    • Tom Aafloen says:

      Yes, these steps could be used to remove any remains of a no-longer-existing CA server, regardless of if it was installed on a DC, SBS or a dedicated server. Be sure NOT to remove any object related to a any new CA servers though.
      The affect it will have on the clients/servers is that they will no longer find references to that server during auto enrollment process and will therefor no longer try (and fail).
      Expired certs is natural, since you have not renewed or issued them for a long time. But do they say it with some sort of dialog, or is it just in the event log?
      Feel free to share your results here 🙂

  4. Grae says:

    Thanks for this – I replaced an old SBS server with a plain old DC and Exchange setup – but that SBS had been an unused CA, and although I removed that before demoting and removing it, the other DCs were creating warnings constantly trying to re-register their certs.

  5. Great article. Helped me a lot in getting rid of those old certificates in the enterprise ca certificate store.

  6. David Amos says:

    We had an SBS server that was removed (and correctly according to MS intructions), and replaced with 2008 R2 DC and separate Exchange, the only certificate on the new DC is the old SBS certificate, is it ok to remove this and have no AIS PKS on the DC?

    • Tom Aafloen says:

      Hi David.
      It’s hard to be sure without more information. What type of certificate is present on the new DC?
      My advice would be to make a backup of the certificate (including the private key), just in case, and then delete it. IF issues occur, just reimport it again.
      What do you mean by AIS PKS?

  7. STGdb says:

    Can you delete all of the entries in the OID container as well? I have some entries in there that go back quite a few years (and this is a new “test” PKI deployment that I want to rebuild). Thanks

    • Tom Aafloen says:

      The OID container contains many default OIDs, such as Server Authentication, Client Authentication etc. Sure, you should be able to delete them and recreate the default ones with the command certutil -installdefaulttemplates, but I have never done this.

  8. Martin Onley says:

    Hi Tom,
    Many thanks for this. I have a question relating to the NtAuthCertificates object – if you do certutil -viewstore would you expect to see the certificate you’re looking to remove in the list? Only when I do this, the certificate from our dead CA isn’t listed, equally I’d expect to see a cert relating to our new CA, that’s not displayed either
    Many thanks
    Martin

    • Tom Aafloen says:

      Hi Martin!
      The Enterprise CA certificate is added to the NtAuthCertificates container in AD during CA install. Domain Controllers then look in that AD container during smart card logon verification. But that certificate is not propagated to the NtAuthCertificates container locally on clients/servers. That certificate will however be propagated to the Intermediate Certification Authorities container on clients.
      To view/edit the NtAuthCertificates container in AD, start pkiview.msc, right-click Enterprise PKI, choose Manage AD Containers and select the tab NTAuthCertificates.
      Hope that helped!

      • Martin Onley says:

        Hi Tom,
        Many thanks for the prompt reply – doing as you suggested only shows the cert for the new CA server so it looks like there’s nothing else to clean up
        Thanks once again!
        Martin

  9. Todd Schmitt says:

    I followed the procedure outlined in this article. We too had a CA that had long since been decommissioned. All of the issued Certs (Root, Intermediate and machine) are expired. I have not yet installed a new CA. I notice in AD Sites and services that there are 31 objects in the Certificate Templates folder in AD Sites and Services. Is it OK to delete the objects? There is also an object called “NTAuthCertificates” in the root of the Public Key Services folder. Can this object be deleted?
    Lastly, am I free to delete all existing Computer, Intermediate and Root Certs that were issued by the old decommissioned CA?

    • Tom Aafloen says:

      Hi Todd!

      I generally do NOT delete objects in the Certificate Templates container. I rather install a new Issuing CA (without loading the default templates), and only publish the Certificate Templates that I know I want to use. Remeber that certificate templates are not stored by CA servers but rather by AD, and each Issuing CA then choose which of them they publish. There is no way to use a certificate template that no Issuing CA is publishing.

      By technically you can delete them. A new CA installation will re-add them, or you can add them manually by running “certutil -installdefaulttemplates”.

      If you are absolutley sure that there are no more certificates stored in the object called NTAuthCertificates, you could delete it, but if you do not see any certificates by running pkiview.msc, right-clicking Enterprise PKI, choosing Manage AD Containers and select the tab NTAuthCertificates, there is no need to delete the object.

      Since the old Root CA certificate has expired, all issuing and leaf certificate will also have expired. So yes, you can delete anything that chains to that expired Root CA.

      • Todd Schmitt says:

        Tom,
        I really want to thank you for your prompt reply!

        I have now installed a non-domain joined Root CA and created Root CRL and Cert for my domain. (This Root CA will then be shut down) I will then install a domain joined Sub-Ca, copy the Root Cer and CRL to it, and publish the Root CRL and AIA to Active directory. When the new Sub-CA starts publishing, will it simply overwrite the old certs in my AD?

        Thank you in advance!

      • Tom Aafloen says:

        Hi,

        You do not actually need to copy the Root CA cert and CRL files to the Issuing CA server, any domain joined computer will work (including the Issuing CA).

        When the Sub-CA is installed it will publish its own certificate and CRL to AD (you need to copy the files to any HTTP locations you configure, this is not automatic).

        No certificates in AD will be overwritten, it will only add its own.

  10. Jaspreet says:

    Hello ,

    We have one Ent. Root CA issuing all certs. I have setup a new Ent. subordinate CA , and when I requested computer/user cert from another server or Domain controller itself , the request is going to Root CA instead of Sub CA.

    What could be the issue and how can I rectify it

  11. Benjam says:

    You guys are the Angels of the IT world; sharing such a valuable knowledge with such details. We say God bless u when someone do something as nice as u have; so God Bless you. Thanks a Million.

  12. Jess Owens says:

    Greetings, I’m glad I stumbled across this article in my scouring of the interwebs!

    I have the standard 1 offline root CA and two online subCA setup. I need to decommission one of the subCAs since that location is closing. All of the certs issued on custom templates will be decommissioned as well, so I’m not worried about those, but I have workstations with certs issued on the server I need to retire on the Computer (Machine) Template that is fed via domain. I’d like to know, what is the impact to these workstations when I uninstall Certificate Services from the subCA? Is there a graceful way to push them to re-request a domain cert from the remaining subCA? Can I remove the retiring subCA cert entry from ADS&S > Services > Public Key Services > Enrollment Services to force the workstations to re-request?

    • Tom Aafloen says:

      Hi Jess!
      If you remove a CA that has issued certificates that are still valid, it can no longer issue fresh CRLs for these, and they will soon become untrusted (at least on platforms where CRL checks are performed).

      The first step is to make sure that the Template is published on the CA server that will remain.

      Then you could choose to “Reenroll all certificate holders” for that Template. This means that anyone that has a certificate based on this template will re-enroll for a new one at the next check-in. But this also means that those who enrolled from this template on the remaining CA will renew as well. And some computers might not be on-prem to enroll, but still needs the current certificate to be valid.

      To manage this you can issue a CRL on the CA that will be removed, with a validity that is longer than any issued certificates from it. This way the certificates from the old CA will be valid until they expire (but you won’t be unable to revoke any certificates). Make sure that the CRL is still available at the old CDP (might need to reconfigure DNS, depending on where you store it today).

      Alos, be sure to backup the old CA (including keys) before you remove it, you never know if you might need to restore it for some reason.

      I hope this answers your question?

  13. Bernd says:

    Hi Jess,
    we have installed a new PKI in our AD domain. I think we have replaced all relevant certificates off the old PKI with those from the new PKI. Since there are thousands off old certificates and not only Microsoft-devices I want to be sure what will happen, when I remove the old CA i.e. if I forgot any device.
    Is there a possibility to simulate the removal of the old PKI?
    Thanks in advance
    Bernd

  14. David Pearce says:

    I had a customer ask me the following:
    In AD Sites & Services they have an orphaned Domain Controller that is long gone that used to be a CA (Not sure what type)

    They asked if it was ok to delete the orphaned DC and if it would not have any impact on any certificates that it had issued?

    My first thought is no, but I can’t seem to find anything to validate this. Does anyone have any thoughts or know the definite answer?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s