[Last Call] Learn how to a build a cloud-first strategyRegister Now


Can I safely Remove our certificate authority in our Active Directory network?

Posted on 2008-11-04
Medium Priority
Last Modified: 2012-05-05
We currently have a root ca setup on a 2003 std box.  I only used it for one self signed cert.  I noticed that it has given out certs to domain controllers.  If I remove ca from this server will this break anything?  I want to install ca on our 2003 enterprise server to take advantage of windows mobile device manager.  I want it to be the root ca instead of a subordinate that is why I want to remove it from one server.  Also what if I want to phase out one of these ca's, how could I do this without causing issues?


Question by:LSB-IT
1 Comment
LVL 31

Accepted Solution

Paranormastic earned 800 total points
ID: 22879200
How to decom a CA server properly from AD:
How to move a CA to another server:

Also, as a side note, you might want to reconsider not having a two tier infrastructure.  You may not need it now, but you might really want it later.  This makes things easier when dealing with multiple domains, migrating CA's, handling extra load, etc.  Keep the root offline - don't even join it to a domain, that way it is domain independent and will not be affected by whatever you do to your domain.  2003 or 2008 standard edition is fine for creating and enterprise root CA, for the issuing subordinate, use 2003 or 2008 enterprise edition.  

Usually setting up the root in a VM environment helps cut the cost down a little bit, and you can configure a private network between the root and subordinate for pushing the CRL over - just create a script to publish the CRL 'certuti -crl' to run every 1/2 the CRL validity period specified in the CA console.  Then just map a drive to the sub CA and copy it over there, then have the sub CA copy that and its own CRL to the CRL distribution points.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question