Server 2008 CA - How to remove?

Posted on 2009-12-18
Last Modified: 2012-05-08
I have a DC that is a CA.  I'm inheriting this environment and there is a Enterprise PKI named Merlin that I want to remove because I have no idea what/where it is.

How do I do this?
Question by:LrdKanien
    LVL 3

    Accepted Solution

    Since the CA is a DC, this might be an Enterprise CA.  This makes things tricky because Enterprise CAs intertwine themselves with Active Directory.  Ripping the CA out of the entperise is possible, but complicated.  Fortunately there is a Microsoft KB that can help.  It was written for Windows 2000/2003 but the steps should still be similar:
    LVL 31

    Assisted Solution

    ...  Just because you don't know what it is doesn't mean it isn't important.  Look at it first to see what all is issued - decomming it could break everything!
    LVL 31

    Expert Comment

    The Merlin CA could be an old CA that is being kept around for older servers that haven't been renewed yet, could be an offline root CA, etc.

    Try looking at the AIA value of the certificate for that cert (details tab - Authority Information Access entry) - it is common to have the filename be ServerName_CAName.crt for this - given that you may be able to track it down better.

    You can also try opening certsrv.msc from your workstation - it will err since you don't have the CA running on that box, accept that message - right click Certification Authority (local) - Retarget CA - Another computer - browse.  If it shows up in this list then there should be a computer name entry for it.

    Another method is from the CRL Distribution Point (CDP) listing in the details of the cert properties from a cert issued from the Merlin CA, if you can find one (sometimes the CA might also have one entered for itself if it was done wrong).  Access a CDP location and view it to find out when the next update for the CRL should be, then you can capture traffic for about 10 minutes or so around that CDP location, since you know where that is.

    Also, check both CA server certs to find out if one issued the other.
    LVL 31

    Expert Comment

    If you feel confident that it is able to be removed, the article pointed to from JoltinJoe is the correct one - where it is now you essentially open AD sites & services - view services node - expand services nad find the public key policy and go through that to remove entries for the old CA.  I would make a copy of that cert from the MMC first and keep that around, just in case you need to add it back again.  If you find that box (if the main is on a DC then there's a good chance this may have just been a test on the same or a different DC) then try searching for a .pfx file.  If you find it installed still on another box then make sure to open the CA MMC and backup the CA from the gui for the database and private key, just in case - and keep a ccopy of the ca cert and last CRL.

    Featured Post

    Too many email signature updates to deal with?

    Are you constantly visiting users’ desks making changes to email signatures? Feel like it’s taking up all of your time? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

    Join & Write a Comment

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now