• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 744
  • Last Modified:

Wanting to remove CA from domain (MS Server 2008) without cause certificate errors

I'm planning to remove/decomission the CA for a domain using article:

http://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx

As far as I can tell the CA server and it's certificates aren't necessary.  I find the certificates on domain controllers, Exchange 2010 server, user PCs, ect.).  Some old and expired.  Others still active and valid.
 
My knowledge of certificates and usage is pretty basic.  So I'm being cautious and willing to ask silly questions, just to make sure I don't turn this into a wreakingball event.
 
The CA issued certificates can be found in the Personal, Trusted Root Certification Authorities, and Intermediate Certification Authorities folder of Certificates Console.   I do not know how to determine what they are needed for or if I could/should reissue them as a self-sign certificate.  Or if the just need to expire out and then take action (if any).

There could be a 'gottacha' somewhere and I'm looking for it.  But currently, I cannot find any reason why a CA was setup in the domain in the first place.
 
Any advise or just plain help would be great.
 
Thanks.
0
xdd-llc
Asked:
xdd-llc
  • 3
  • 3
  • 2
2 Solutions
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
Hello XDD,

So... it looks that in your domain a CA was installed a long time ago and it looks that it is not used at all, because of it there is a plan for uninstallint it

Certificates can be used for multiple purposes. Authentication between computers, data encryption with EFS in the computers, data encryption while traveling (SSL, TLS), etc. But well. First of all, and very very IMPORTANT, you need to validate very carefull and with precission that you are not using certificate services before decomision it. I know cases where people have eliminated servers or CA installations and them they realice that it was used for some services. In one of these cases the service was for encrypting files with EFS and them all the users using these technology had problems for accessing their encrypted information

Where to start for checking about the use of your CA?

Access the CA console, and there you can find a containner called "Issued Certificates". At this place your CA will show all the certificates that has been delivered, to whom they where delivered, when, the purpose and until what date this is valid. You can focus on the valid ones and track the certificates delivered to the different users and servers and them investigate if this is still functional

If you don't see delivered certificates, or if the delivered certificates where made a long time ago and these certificates are already expired you can proceed and follow the article for decomissioning the CA.

If you find delivered certificates you need to validate with high precission that they are not used anymore, if they are used them you will need to find another solutions for these services (like self signed certificates for them, or unencript the data and encript it with a different certificate, etc). And after all of these revisions and validations that it is not been used anymore them uninstall the CA

But remember, take care in case that it is been used for some reason

And anyway, if everything points that you can decomision it. Make a backup of the system state of your CA server. It is going to save the CA database and configuration, so you will be able to restart it if needed
0
 
Sushil SonawaneCommented:
As you mention on your environment exchange server is running.  

For Exchange 2010 server if you using third party certificate to access owa and outlook anywhere then you can remove the CA.

If you not using the third party certificate then instead of exchange self sign certificate, CA issue certificate is good and secured.

For exchange server certificate issue by your CA and after unistall the CA that time all CA certificate also removed from the server so that  you have to reissue self sign certificate for the exchange server.
0
 
xdd-llcAuthor Commented:
Thanks for the responses.

Schnellsolutions:  I will track down the list of certificates issued.  What do I do about the certificates used by the domain controllers?  They must be in use for trust.  Can I just revoke them and it will reissue itself a self sign one?  Or are these certificate really not in use?


Sushil84 : I will double check, but currently the Exchange server and the two Terminal Server machines have 3rd party certificates for remote access.  Doesn't mean that a CA signed certificate isn't in there somewhere.  This whole thing is quite the minefield.


Another reason I want to decomission the CA is it has lost trust with the domain.  CA server got rolled back to a previous backup and this killed the domain trust.  It seems to still be functional, just only locally accessible.  From what I've read, having the CA (or at least the root) not part of the domain is a good thing.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Sushil SonawaneCommented:
As you mention Exchange server and the two Terminal Server machines have 3rd party certificates for remote access then you can safely remove the your CA.
0
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
It is not suppose to impact as far as you don't use a SmartCard infrastructure or similar validation mechanism. The trust between your domain controllers is based in Kerberos authentication and it won't be affected

If you don't use SmartCard infrastructure or similar RSA validation systems you can ignore these delivered certificates
0
 
xdd-llcAuthor Commented:
Does SQL use CA certificates for anything?  In this case its only used by Deltek, an accounting software package with no remote access.   In domain only access, no Internet.
0
 
xdd-llcAuthor Commented:
I found only three issued certificates that haven't expired.

All use the 'WebServer' template.  One was issued to the Exchange server (but its not listed in IIS certificates).  Another was issued to the CA server itself.  The last is to the network domain XDomainNameX.com.

In the certificate information the issued purpose is 'Ensusres the identity of a remote computer'.

I can understand a certificate issued to the Exchange server for remote access.  Even though I have a 3rd party certificate in place and it is listed in IIS.  Revoking or let-it-expire it shouldn't be a problem.

The certificate to the CA itself?  Not sure why, but if I'm removing the CA services... does it matter?

The third certificate I'm researching.  But don't know why there's one to the domain.  Is this related to the DCs?  If so, revoking or let-it-expire it shouldn't be a problem either.

Any advise?

Thanks.
0
 
Sushil SonawaneCommented:
SQL not use by CA certificates for anything. Your exchange server use the third party certificate so that you can go for remove your CA.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now