Decommissioning a Server 2003 Certificate Authority - Part 2

ShrCol used Ask the Experts™

I have just finished decommissioning a couple of internal CA's and have also since created a new one. I followed the Microsoft document to undertake the decommissioning process ( which was fine, except for one of the final stages.

Near the bottom, step 9 it says: 'Important Do not use this procedure if you are using certificates that are based on version 1 domain controller templates' in relation to cleaning up domain controller certificates. However, I'm not sure how I would know, so my question is how do I find out what version they are.

The command 'certutil -dcinfo' displays a number of old certificates that I would like to clean up however I don't want to proceed without being sure. Both of the old CA's were Windows Server 2003 Enterprise.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Cryptographic Engineer
1) on the dc's you can run this to clean up the stale certs:
certutil -dcinfo deletebad

2) if you look at the certificate in the Certificates MMC snaping (local computer) - personal - certificates - look for the Version field on the details tab.  Otherwise you can look at the output via cmd line - I forget offhand the output of certutil -dcinfo whether that includes the template version or not - if it does it would probably be one of the first couple lines.  If nothing else it shoud give you the cert text that you can copy into a .txt or .cer file and then run certutil -dump filename.txt

C:\CertTemp>certutil -dump junk.cer   | more
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
X509 Certificate:
Version: 3


Many thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial