Disclaimer

I am writing this blog  and others to explain how things work and some ways deployment and operational tasks can be handled. In other words, these postings are for demonstration purposes only. Since I am not familiar with your organization or environment I do not know if these steps are applicable to your environment or are even safe to perform in your environment. It is recommended that you contact Microsoft Support prior to making changes in your environment to ensure that these steps are applicable to your environment, and are safe to perform in your environment. By writing this blog I am in no way recommending that you perform these steps in your own environment. If you choose to follow the steps outlined in this or other blog postings on this site, you are assuming the risk for your actions.

Background

Sometimes if you are new to an environment or exploting PKI for the first time you may realize that you have Certification Authorities that are populated in Active Directory. Sometimes some of those CAs may no longer exist in the environment or you had some problems removing the CA from Active Directory. In those cases you can manually remove the PKI objects from Active Directory. This posting will cover how you can remove the CA and PKI objects from Active Directory

It is extremely important to note that you should not do this unless you are 100% certain that you are no longer going to use the Certification Authority or any certificates that have been issued from that Certification Authority.

The PKI objects exist in the Configuration partition of Active Directory. Hence, these objects are replicated to every Domain Controller in the forest. This means that it will require that the user that will be removing the PKI objects from Active Directory must be a member of the Enterprise Admins group. Also, keep in mind that since this is an Active Directory change so it will need to replicate to every DC in the forest which depending on your replication convergence time may take a while.

Pre-requisites

Access to a machine that has the Active Directory Certificate Services (ADCS) Remote Server Administration Tools (RSAT)

• The machine must be a member of the Active Directory forest that hosts the CA
• The user removing the PKI objects must be a member of the Enterprise Admins group
• You have backed up Active Directory using a System State backup or other approved backup method
• Removing the Deprecated CA and related PKI objects from Active Directory

Step 1: Logon to a machine with an account that is a member of the Enterprise Admins group

Step 2: Launch Enterprise PKI (PKIView.msc)

Step 3: Identify the CA you want to remove from Active Directory

Step 3: Right-click on Enterprise PKI and from the context menu select Manage AD Containers…

Step 4: On the NTAuthCertificates tab, select the certificate associated with the deprecated CA and click the Remove button

Step 5: When prompted to confirm the removal, click Yes

Step 6: Select the AIA Container tab

Step 7: Select the certificate associated with the deprecated CA and click the Remove button

Step 8: When prompted to confirm the removal click Yes

Step 9: If you are prompted that this is the last certificate in the object, click Yes to confirm the removal

Step 10: Navigate to the CDP Container tab

Step 11: If present select the Delta CRL associated with the deprecated CA and click the Remove button

Step 12: When prompted to confirm the deletion click Yes

Step 13: Select the Base CRL associated with the deprecated CA and click the Remove button

Step 14: When prompted to confirm the removal of the CRL click Yes

Step 15: If prompted that this is the last CRL in the object click Yes to confirm the removal

Step 16: If prompted that this is the last CDP object in the container click Yes to confirm the removal

Step 17: Navigate to the KRA Container tab

Step 18: If there are any certificates associated with the deprecated CA remove them

Step 19: Navigate to the Certification Authorities Container (If the CA is not a Root CA it may be absent from this container)

Step 20: Select the certificate associated with the deprecated CA and click Remove

Step 21: When prompted to confirm the deletion click Yes

Step 22: If prompted that this is the last certificate in the object, click Yes to confirm the deletion

Step 23: Navigate to the Enrollment Services Container (the CA may be absent from this container if ADCS was gracefully removed from the machine)

Step 24: Select the certificate associated with the deprecated CA and click Remove

Step 25: When prompted to confirm the deletion click Yes

Step 26: If prompted that this is the last certificate in the object, click Yes to confirm the deletion

Step 27: Click OK to close the window

Step 28: Right-click on Enterprise PKI and select Refresh from the context menu

Step 29: Verify that the deprecated CA is no longer displayed in Enterprise PKI (may have to wait until AD replication converges).

Below is a video of this same topic that I posted a few days before posting this blog entry.

Thank You for taking time out of your day to visit my blog!

-Chris