milott
asked on
Domain Controller Certificate Renewal
I am replacing the Entreprise CA's in our Forest. New CA's are in place and I am ready to revoke all domain controller certificates and turn off the old CA's. The process includes revoking all existing issued certificates. Microsoft doc is here - http://support.microsoft.com/kb/889250
I then need to remove all the revoked certificates on all the domain controllers and reboot them so they pick up a new certificate from the new CA's. This is easy enough to do via the Certificates MMC on each server, but there are 80 domain controllers and it would take a lot of time. Domain controllers are a mix of 2003 SP2 and 2008.
The KB article mentioned above mentions the dsstore command that can be used to remove certificates, but this command is not recognised on our servers (support tools are installed on the 2003 servers). In any case it looks like user interaction is required with this script and that makes it hard to automate.
Anyone know of a way to script the removal of certificates from the local store? I need a batch or VBscript so I can push it out remotely.
I then need to remove all the revoked certificates on all the domain controllers and reboot them so they pick up a new certificate from the new CA's. This is easy enough to do via the Certificates MMC on each server, but there are 80 domain controllers and it would take a lot of time. Domain controllers are a mix of 2003 SP2 and 2008.
The KB article mentioned above mentions the dsstore command that can be used to remove certificates, but this command is not recognised on our servers (support tools are installed on the 2003 servers). In any case it looks like user interaction is required with this script and that makes it hard to automate.
Anyone know of a way to script the removal of certificates from the local store? I need a batch or VBscript so I can push it out remotely.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks I did spot that on a second read and tried it. certutil -dcinfo deleteBad identified the revoked certificates but did not remove them from the remote servers.
I found however that it sorted itself out over several days as the DC's all picked up new certs from the new CA's automatically.
thanks