Root CA being published for Enterprise CA that no longer exists

Posted on 2011-05-03
Last Modified: 2012-05-11
I'm running into a minor issue with our certificate services in our domain and can't seem to figure out how to resolve.

We had an old Enterprise CA (DCSERVER) that was setup, used for a little bit, then decommissioned before I started.  I think they just uninstalled the role from the server (2003) once they were done testing.

Since then I have completely decommissioned this server (demoted from AD and shut it down forever)

The problem is this CA's certificate is still being published to the Trusted Root CA store on all the domain members.  I can't seem to figure out how to get rid of this certificate.  I deleted it from the local store on my PC and it is back after a restart which leads me to believe AD is pushing this back to me on a GPO refresh.

Anyone know how to get rid of this certificate forever?
Question by:mcsween
    LVL 37

    Expert Comment

    by:Adam Brown
    You'll need to find the Group Policy that is publishing the certificate. Run RSOP.MSC on a computer and look for settings under Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities. This will tell you which GPO(s) are pushing that certificate out and you can then remove the setting from there.
    LVL 21

    Author Comment

    Thanks for the reply but this certificate isn't being pushed out through "conventional" group policy.  This was the Trusted Root Certificate for an Enterprise CA installed on a domain controller.  The certificate was being deployed automatically through auto-enrollment.  
    LVL 28

    Expert Comment

    In your default domain policy look at Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

    You will probably find the certificate in there and will be able to remove it. I don't believe this will remove it from the hosts in your domain, but it should keep it from being pushed out any more once you delete it manually.

    Also check default domain controller policy as well as any other custom policies you may have in your environment.

    I don't know that you can actually autoenroll trusted certificates - autoenroll is more intended for user/computer certs

    Good Luck
    LVL 21

    Author Comment

    There are no certificates being enrolled through Group Policy (At least under Public Key Policies\Trusted Root Certificate Authorities).

    LVL 28

    Accepted Solution

    Open Active Directory Sites and Services
    Right click the top line, expand view then select show services node
    Expand the Public Key Services, and all expandable nodes under it

    Browse through the information, wherever you see the name of the retired certificate authority right click it and delete it. You will likely find it under AIA and Certificate Authorities. You will possibly find it under Enrollment Services and KRA.
    Wherever you see the name of the server that used to host right click and delete it, it will likely be in a container under CDP

    Leave the OID node alone

    Good Luck
    LVL 21

    Author Closing Comment

    Fantastic!  That's exactly what I was looking for.  Thank you!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now