Wanting to remove CA from domain (MS Server 2008) without cause certificate errors

Posted on 2012-09-12
Medium Priority
Last Modified: 2012-09-17
I'm planning to remove/decomission the CA for a domain using article:


As far as I can tell the CA server and it's certificates aren't necessary.  I find the certificates on domain controllers, Exchange 2010 server, user PCs, ect.).  Some old and expired.  Others still active and valid.
My knowledge of certificates and usage is pretty basic.  So I'm being cautious and willing to ask silly questions, just to make sure I don't turn this into a wreakingball event.
The CA issued certificates can be found in the Personal, Trusted Root Certification Authorities, and Intermediate Certification Authorities folder of Certificates Console.   I do not know how to determine what they are needed for or if I could/should reissue them as a self-sign certificate.  Or if the just need to expire out and then take action (if any).

There could be a 'gottacha' somewhere and I'm looking for it.  But currently, I cannot find any reason why a CA was setup in the domain in the first place.
Any advise or just plain help would be great.
Question by:xdd-llc
  • 3
  • 3
  • 2
LVL 14

Accepted Solution

Schnell Solutions earned 1000 total points
ID: 38391214
Hello XDD,

So... it looks that in your domain a CA was installed a long time ago and it looks that it is not used at all, because of it there is a plan for uninstallint it

Certificates can be used for multiple purposes. Authentication between computers, data encryption with EFS in the computers, data encryption while traveling (SSL, TLS), etc. But well. First of all, and very very IMPORTANT, you need to validate very carefull and with precission that you are not using certificate services before decomision it. I know cases where people have eliminated servers or CA installations and them they realice that it was used for some services. In one of these cases the service was for encrypting files with EFS and them all the users using these technology had problems for accessing their encrypted information

Where to start for checking about the use of your CA?

Access the CA console, and there you can find a containner called "Issued Certificates". At this place your CA will show all the certificates that has been delivered, to whom they where delivered, when, the purpose and until what date this is valid. You can focus on the valid ones and track the certificates delivered to the different users and servers and them investigate if this is still functional

If you don't see delivered certificates, or if the delivered certificates where made a long time ago and these certificates are already expired you can proceed and follow the article for decomissioning the CA.

If you find delivered certificates you need to validate with high precission that they are not used anymore, if they are used them you will need to find another solutions for these services (like self signed certificates for them, or unencript the data and encript it with a different certificate, etc). And after all of these revisions and validations that it is not been used anymore them uninstall the CA

But remember, take care in case that it is been used for some reason

And anyway, if everything points that you can decomision it. Make a backup of the system state of your CA server. It is going to save the CA database and configuration, so you will be able to restart it if needed
LVL 18

Assisted Solution

by:Sushil Sonawane
Sushil Sonawane earned 1000 total points
ID: 38391217
As you mention on your environment exchange server is running.  

For Exchange 2010 server if you using third party certificate to access owa and outlook anywhere then you can remove the CA.

If you not using the third party certificate then instead of exchange self sign certificate, CA issue certificate is good and secured.

For exchange server certificate issue by your CA and after unistall the CA that time all CA certificate also removed from the server so that  you have to reissue self sign certificate for the exchange server.

Author Comment

ID: 38391348
Thanks for the responses.

Schnellsolutions:  I will track down the list of certificates issued.  What do I do about the certificates used by the domain controllers?  They must be in use for trust.  Can I just revoke them and it will reissue itself a self sign one?  Or are these certificate really not in use?

Sushil84 : I will double check, but currently the Exchange server and the two Terminal Server machines have 3rd party certificates for remote access.  Doesn't mean that a CA signed certificate isn't in there somewhere.  This whole thing is quite the minefield.

Another reason I want to decomission the CA is it has lost trust with the domain.  CA server got rolled back to a previous backup and this killed the domain trust.  It seems to still be functional, just only locally accessible.  From what I've read, having the CA (or at least the root) not part of the domain is a good thing.
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 18

Expert Comment

by:Sushil Sonawane
ID: 38391534
As you mention Exchange server and the two Terminal Server machines have 3rd party certificates for remote access then you can safely remove the your CA.
LVL 14

Expert Comment

by:Schnell Solutions
ID: 38391640
It is not suppose to impact as far as you don't use a SmartCard infrastructure or similar validation mechanism. The trust between your domain controllers is based in Kerberos authentication and it won't be affected

If you don't use SmartCard infrastructure or similar RSA validation systems you can ignore these delivered certificates

Author Comment

ID: 38392539
Does SQL use CA certificates for anything?  In this case its only used by Deltek, an accounting software package with no remote access.   In domain only access, no Internet.

Author Comment

ID: 38395496
I found only three issued certificates that haven't expired.

All use the 'WebServer' template.  One was issued to the Exchange server (but its not listed in IIS certificates).  Another was issued to the CA server itself.  The last is to the network domain XDomainNameX.com.

In the certificate information the issued purpose is 'Ensusres the identity of a remote computer'.

I can understand a certificate issued to the Exchange server for remote access.  Even though I have a 3rd party certificate in place and it is listed in IIS.  Revoking or let-it-expire it shouldn't be a problem.

The certificate to the CA itself?  Not sure why, but if I'm removing the CA services... does it matter?

The third certificate I'm researching.  But don't know why there's one to the domain.  Is this related to the DCs?  If so, revoking or let-it-expire it shouldn't be a problem either.

Any advise?

LVL 18

Expert Comment

by:Sushil Sonawane
ID: 38395561
SQL not use by CA certificates for anything. Your exchange server use the third party certificate so that you can go for remove your CA.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month13 days, 18 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question