Server 2008 CA - How to remove?

I have a DC that is a CA.  I'm inheriting this environment and there is a Enterprise PKI named Merlin that I want to remove because I have no idea what/where it is.

How do I do this?
Who is Participating?
JoltinJoeConnect With a Mentor Commented:
Since the CA is a DC, this might be an Enterprise CA.  This makes things tricky because Enterprise CAs intertwine themselves with Active Directory.  Ripping the CA out of the entperise is possible, but complicated.  Fortunately there is a Microsoft KB that can help.  It was written for Windows 2000/2003 but the steps should still be similar:
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
...  Just because you don't know what it is doesn't mean it isn't important.  Look at it first to see what all is issued - decomming it could break everything!
ParanormasticCryptographic EngineerCommented:
The Merlin CA could be an old CA that is being kept around for older servers that haven't been renewed yet, could be an offline root CA, etc.

Try looking at the AIA value of the certificate for that cert (details tab - Authority Information Access entry) - it is common to have the filename be ServerName_CAName.crt for this - given that you may be able to track it down better.

You can also try opening certsrv.msc from your workstation - it will err since you don't have the CA running on that box, accept that message - right click Certification Authority (local) - Retarget CA - Another computer - browse.  If it shows up in this list then there should be a computer name entry for it.

Another method is from the CRL Distribution Point (CDP) listing in the details of the cert properties from a cert issued from the Merlin CA, if you can find one (sometimes the CA might also have one entered for itself if it was done wrong).  Access a CDP location and view it to find out when the next update for the CRL should be, then you can capture traffic for about 10 minutes or so around that CDP location, since you know where that is.

Also, check both CA server certs to find out if one issued the other.
ParanormasticCryptographic EngineerCommented:
If you feel confident that it is able to be removed, the article pointed to from JoltinJoe is the correct one - where it is now you essentially open AD sites & services - view services node - expand services nad find the public key policy and go through that to remove entries for the old CA.  I would make a copy of that cert from the MMC first and keep that around, just in case you need to add it back again.  If you find that box (if the main is on a DC then there's a good chance this may have just been a test on the same or a different DC) then try searching for a .pfx file.  If you find it installed still on another box then make sure to open the CA MMC and backup the CA from the gui for the database and private key, just in case - and keep a ccopy of the ca cert and last CRL.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.