• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1505
  • Last Modified:

Root CA being published for Enterprise CA that no longer exists

I'm running into a minor issue with our certificate services in our domain and can't seem to figure out how to resolve.

We had an old Enterprise CA (DCSERVER) that was setup, used for a little bit, then decommissioned before I started.  I think they just uninstalled the role from the server (2003) once they were done testing.

Since then I have completely decommissioned this server (demoted from AD and shut it down forever)

The problem is this CA's certificate is still being published to the Trusted Root CA store on all the domain members.  I can't seem to figure out how to get rid of this certificate.  I deleted it from the local store on my PC and it is back after a restart which leads me to believe AD is pushing this back to me on a GPO refresh.

Anyone know how to get rid of this certificate forever?
0
mcsween
Asked:
mcsween
  • 3
  • 2
1 Solution
 
Adam BrownSr Solutions ArchitectCommented:
You'll need to find the Group Policy that is publishing the certificate. Run RSOP.MSC on a computer and look for settings under Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities. This will tell you which GPO(s) are pushing that certificate out and you can then remove the setting from there.
0
 
mcsweenSr. Network AdministratorAuthor Commented:
Thanks for the reply but this certificate isn't being pushed out through "conventional" group policy.  This was the Trusted Root Certificate for an Enterprise CA installed on a domain controller.  The certificate was being deployed automatically through auto-enrollment.  
0
 
bgoeringCommented:
In your default domain policy look at Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

You will probably find the certificate in there and will be able to remove it. I don't believe this will remove it from the hosts in your domain, but it should keep it from being pushed out any more once you delete it manually.

Also check default domain controller policy as well as any other custom policies you may have in your environment.

I don't know that you can actually autoenroll trusted certificates - autoenroll is more intended for user/computer certs

Good Luck
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mcsweenSr. Network AdministratorAuthor Commented:
There are no certificates being enrolled through Group Policy (At least under Public Key Policies\Trusted Root Certificate Authorities).

0
 
bgoeringCommented:
Open Active Directory Sites and Services
Right click the top line, expand view then select show services node
Expand the Public Key Services, and all expandable nodes under it

Browse through the information, wherever you see the name of the retired certificate authority right click it and delete it. You will likely find it under AIA and Certificate Authorities. You will possibly find it under Enrollment Services and KRA.
 
Wherever you see the name of the server that used to host right click and delete it, it will likely be in a container under CDP

Leave the OID node alone

Good Luck
0
 
mcsweenSr. Network AdministratorAuthor Commented:
Fantastic!  That's exactly what I was looking for.  Thank you!
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now