Root CA being published for Enterprise CA that no longer exists
I'm running into a minor issue with our certificate services in our domain and can't seem to figure out how to resolve.
We had an old Enterprise CA (DCSERVER) that was setup, used for a little bit, then decommissioned before I started. I think they just uninstalled the role from the server (2003) once they were done testing.
Since then I have completely decommissioned this server (demoted from AD and shut it down forever)
The problem is this CA's certificate is still being published to the Trusted Root CA store on all the domain members. I can't seem to figure out how to get rid of this certificate. I deleted it from the local store on my PC and it is back after a restart which leads me to believe AD is pushing this back to me on a GPO refresh.
Anyone know how to get rid of this certificate forever?
We had an old Enterprise CA (DCSERVER) that was setup, used for a little bit, then decommissioned before I started. I think they just uninstalled the role from the server (2003) once they were done testing.
Since then I have completely decommissioned this server (demoted from AD and shut it down forever)
The problem is this CA's certificate is still being published to the Trusted Root CA store on all the domain members. I can't seem to figure out how to get rid of this certificate. I deleted it from the local store on my PC and it is back after a restart which leads me to believe AD is pushing this back to me on a GPO refresh.
Anyone know how to get rid of this certificate forever?
Adam Brown
You'll need to find the Group Policy that is publishing the certificate. Run RSOP.MSC on a computer and look for settings under Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities. This will tell you which GPO(s) are pushing that certificate out and you can then remove the setting from there.
ASKER
Thanks for the reply but this certificate isn't being pushed out through "conventional" group policy. This was the Trusted Root Certificate for an Enterprise CA installed on a domain controller. The certificate was being deployed automatically through auto-enrollment.
In your default domain policy look at Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities
You will probably find the certificate in there and will be able to remove it. I don't believe this will remove it from the hosts in your domain, but it should keep it from being pushed out any more once you delete it manually.
Also check default domain controller policy as well as any other custom policies you may have in your environment.
I don't know that you can actually autoenroll trusted certificates - autoenroll is more intended for user/computer certs
Good Luck
You will probably find the certificate in there and will be able to remove it. I don't believe this will remove it from the hosts in your domain, but it should keep it from being pushed out any more once you delete it manually.
Also check default domain controller policy as well as any other custom policies you may have in your environment.
I don't know that you can actually autoenroll trusted certificates - autoenroll is more intended for user/computer certs
Good Luck
ASKER
There are no certificates being enrolled through Group Policy (At least under Public Key Policies\Trusted Root Certificate Authorities).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Fantastic! That's exactly what I was looking for. Thank you!