Certificate authority and my inherited mess

Posted on 2010-04-04
Medium Priority
Last Modified: 2012-05-09
I inherited a real nightmare at a new customers office.  Here is the nightmare.
Windows SBS 2003.  Runs great now (had a few problems, they were solved by you guys, thanks).  Windows Server 2003.  Was running as a member server and then for some dumbass reason they guy made it a domain controller.  Uggh.  Unfortunately when I tried to demote it, it was running the certificate services and the demotion would not go through.  
I looked at the certificate services and it only has 2 active certificates and they both point to the SBS 2003 server.  It appears that the only thing they are running or being used for is for self signed certificates that run the Remote services.  They dont appear to be using OWA at all and not even using RPC over HTTP.  
What is the best way to demote the server to make it a member server again?
Question by:jonmenefee
  • 3
  • 2
LVL 34

Accepted Solution

Shreedhar Ette earned 2000 total points
ID: 29753688

Refer below mentioned article to decommission the certification authority:

After that you can demote the Windows 2003 server to a member server.

Note: Before making any changes take the System State backup of both the servers.

I hope this helps,

Author Comment

ID: 29841900
Thanks Shree, I will give that a try tonight :)

Expert Comment

ID: 29860491
You need FIRST desactive SSL services  that use self signed  certificates in your SBS ( only 2 services run )

Certificate Server is a CA then you need revoke all active certificates that are issued  for CA :
   1. Click Start -> Administrative Tools ->Certification Authority
   2. Expand your CA, and  click  Issued Certificates folder
   3. In right pane, click one of  issued certificates, and  press CTRL+A  select all issued certificates
   4. Right-click  selected certificates, click All Tasks, and  click Revoke Certificate.
   5. In  Certificate Revocation dialog box, click to select Cease of Operation as the reason for revocation, and then click OK.

Now increase the CRL publication interval
   1. In Certifications Authority Microsoft Management Console  snap in, right click the Revoked Certificates folder, and then click Properties
   2. In the CRL Publication Interval box, type a suitably long value, and then click OK

 After  you need publish a new CRL
   1. In the Certification Authority MMC snap-in, right-click the Revoked Certificates folder.
   2. Click All Tasks, and then click Publish.
   3. In the Publish CRL dialog box, click New CRL, and then click OK.

Is necesary Deny any pending requests

By default, an enterprise CA does not store certificate requests.
However, an administrator can change this default behavior.
You need to know this state and  deny any pending certificate requests, follow these steps:

   1. In the Certification Authority MMC snap in, click the Pending Requests folder.
   2. In the right pane, click one of the pending requests, and then press CTRL+A to select all pending certificates.
   3. Right-click the selected requests, click All Tasks, and then click Deny Request.

Uninstall Certificate Services from the server
   1. To stop Certificate Services, click Start, click Run, type cmd, and the click OK.
   2. At the command prompt, type  certutil  -shutdown  , and then press ENTER.
   3. To list all key stores for the local computer, type  certutil  -key  at the command prompt.
This command display the names of all  installed cryptographic service providers (CSP) and the key stores that are associated with each provider.

Microsoft Enhanced Cryptographic Provider v1.0:
  MS IIS DCOM ClientSYSTEMS-1-5-18
  MS IIS DCOM Server
  Windows2000 Enterprise Root CA
  MS IIS DCOM ClientAdministratorS-1-5-21-436374069-839522115-1060284298-500

Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.


Expert Comment

ID: 29861846
Part II

In the last example you need to see only when is CA for example in the last paragraph you see :
       Windows2000Enterprise Root CA

4.-Delete the private key that is associated with the CA.
Type the following at a command prompt:

            certutil  -delkey "Windows2000 Enterprise Root CA"

5.- List  key stores again that you need  verify  the private key for  CA has been deleted.
6.- After you delete the private key for your CA, uninstall Certificate Services.

To do this, follow these steps:
   a. Close the Certification Authority MMC snap-in if it is still open.
   b. Click Start, point to Control Panel, and then click Add /Remove Programs.
   c. Click Add/Remove Windows Components.
   d. In the Components box, click to clear the Certificate Services check box, click Next, and then follow the instructions in the Windows Components Wizard to complete the removal of Certificate Services.

NOW you need remove CA objects from Active Directory
When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory.

These objects are the following:

    * certificateAuthority object
          o Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
          o Contains the CA certificate for the CA.
          o Published Authority Information Access (AIA) location.
    * crlDistributionPoint object
          o Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
          o Contains the CRL periodically published by the CA.
          o Published CRL Distribution Point (CDP) location
    * certificationAuthority object
          o Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
          o Contains the CA certificate for the CA.
    * pKIEnrollmentService object
          o Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
          o Created by the enterprise CA.
          o Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.

Remove all Certification Services objects from Active Directory

Delete certificates published to the NtAuthCertificates object

To remove the CA database, delete the %systemroot%\System32\Certlog folder.

Clean up domain controllers
Windows Server 2003 Resource Kit tools also includes the Pkiview.msc utility to help you remove CA objects from the domain.

AFTER ALL THIS maybe you DEMOTE Domain Controller of this your SBS


Author Comment

ID: 29902465
Thanks for the comment Jzel.  :-)

Author Closing Comment

ID: 31710814
Shreedhar solution was perfect.  Jzel put on this page the exact step by step solution that Shreedhar used (word for word).
Thank you both for quick responses to an interesting problem :-)

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question