Solved

PKI - Remove ENterprise Cerificate from all Servers/Workstations

Posted on 2013-05-30
10
433 Views
Last Modified: 2013-06-06
Hi All -

We recently setup a POC for certificate services in a ADDS 2008 R2 environment.  As part of it we rolled out a 'dummy' certificate which all servers and workstations auto-enrolled.  We would now like to remove this certificate from the certificate store of close to 1,000 machines.

What is the cleanest/easiest way to this?

Kind regards.
0
Comment
Question by:wrenmott
  • 4
  • 3
  • 3
10 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 39208226
its just a (negative) registry key.
Usually you should find each as entries in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates
(or sometimes
HKEY_LOCAL_MACHINE -or- HKEY_CURRENT_USER \SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
if they weren't installed by group policy)

the key name is the same as the certificate thumbprint; for example, on my host here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118

is the Certum CA with thumbprint 6252DC40F71143A22FDE9EF7348E064251B18118

now, a dot-reg file to remove that key entirely is the same as a normal, additive key but with a minus sign in front of the key name, so:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118]

Open in new window


working from that, you should be able to build a dot-reg file which, when pushed out to all nodes to run on login, will remove the key completely from the registry (and hence, the certificate from the machine). you *can* sorta push out registry keys by group policy, but its usually easier to just push out a dot-reg file :)
0
 
LVL 1

Author Comment

by:wrenmott
ID: 39208241
That verifies what I've seen elsewhere.  I was hopinh there was a magical 'revoke' button rather than rolling out a regkey enterprise wide.

If you know one comes up with anything better the points are yours!

Cheers for the clarification.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39208298
no, no magic. you could probably write a program to let you select a cert and generate the regkey you need, but given how rarely this comes up (and how simple technically the solution is, even if it means a bit of legwork finding the thumbprint in the registry first)  nobody ever had :)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 40

Expert Comment

by:footech
ID: 39208549
I'm not 100% on this, but I thought it worked last time I tried.  There is a Group Policy setting under Windows Settings | Security Settings | Public Key Policies | Certificate Services Client - Auto-Enrollment Settings | "Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates".  With that enabled, if you revoke the issued certificate it should be removed.  Under Issued Certificates, you can Ctrl- or Shift- click to select multiple certs to revoke.
0
 
LVL 40

Expert Comment

by:footech
ID: 39208706
Also, here is some code to remove a certificate with PowerShell 2.0.  PS 3.0 has improved support for certificate management .  In either case, you would need to use PS Remoting for this to work with remote machines.
$store = New-Object System.Security.Cryptography.x509Certificates.x509Store("My","LocalMachine")
$store.Open("ReadWrite")
# Need some criteria here to filter the list of certificates appropriately
$certs = $store.Certificates | Where {$_.NotBefore -lt "7/20/2012"}
ForEach ($cert in $certs)
{
  $store.Remove($cert)
}
$store.Close()

Open in new window


A PS 3.0 version would be like
Get-ChildItem cert:\LocalMachine\My | Where {$_.NotBefore -lt "7/20/2012"} | Remove-Item -force -whatif

Open in new window

Here's a link to a related thread. http:Q_28015522.html#a38882045
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39210580
That's correct,  footech, but requires that the cert be expired or revoked. Revoking a root is very hard indeed :(
0
 
LVL 1

Author Comment

by:wrenmott
ID: 39210757
Hi guys -

I simply cannot find the option through group policy though I looked through it this morning.  The certificate in question was issued by our issuing cert server, not our our root, if that makes a difference.
0
 
LVL 40

Accepted Solution

by:
footech earned 250 total points
ID: 39211421
@DaveHowe - He doesn't appear to be talking about a root certificate.

@wrenmott - You should see the setting like in the screenshot below.GP setting
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39215760
Ok, that will work better then - I clearly misunderstood.
have to revoke all those certificates first, of course.
0
 
LVL 1

Author Closing Comment

by:wrenmott
ID: 39225771
Hi guys -

In the end I split the points because you both not only provided valuable scripting guidance but also a nice clean GUI solution through GPOs which is what we'll end up doing.  For some reason going through a GPO rather than a script is less scary for the business even though we all know its essentially the same thing.

Cheers!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question