Solved

PKI - Remove ENterprise Cerificate from all Servers/Workstations

Posted on 2013-05-30
10
417 Views
Last Modified: 2013-06-06
Hi All -

We recently setup a POC for certificate services in a ADDS 2008 R2 environment.  As part of it we rolled out a 'dummy' certificate which all servers and workstations auto-enrolled.  We would now like to remove this certificate from the certificate store of close to 1,000 machines.

What is the cleanest/easiest way to this?

Kind regards.
0
Comment
Question by:wrenmott
  • 4
  • 3
  • 3
10 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
Comment Utility
its just a (negative) registry key.
Usually you should find each as entries in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates
(or sometimes
HKEY_LOCAL_MACHINE -or- HKEY_CURRENT_USER \SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
if they weren't installed by group policy)

the key name is the same as the certificate thumbprint; for example, on my host here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118

is the Certum CA with thumbprint 6252DC40F71143A22FDE9EF7348E064251B18118

now, a dot-reg file to remove that key entirely is the same as a normal, additive key but with a minus sign in front of the key name, so:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118]

Open in new window


working from that, you should be able to build a dot-reg file which, when pushed out to all nodes to run on login, will remove the key completely from the registry (and hence, the certificate from the machine). you *can* sorta push out registry keys by group policy, but its usually easier to just push out a dot-reg file :)
0
 
LVL 1

Author Comment

by:wrenmott
Comment Utility
That verifies what I've seen elsewhere.  I was hopinh there was a magical 'revoke' button rather than rolling out a regkey enterprise wide.

If you know one comes up with anything better the points are yours!

Cheers for the clarification.
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
no, no magic. you could probably write a program to let you select a cert and generate the regkey you need, but given how rarely this comes up (and how simple technically the solution is, even if it means a bit of legwork finding the thumbprint in the registry first)  nobody ever had :)
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
I'm not 100% on this, but I thought it worked last time I tried.  There is a Group Policy setting under Windows Settings | Security Settings | Public Key Policies | Certificate Services Client - Auto-Enrollment Settings | "Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates".  With that enabled, if you revoke the issued certificate it should be removed.  Under Issued Certificates, you can Ctrl- or Shift- click to select multiple certs to revoke.
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
Also, here is some code to remove a certificate with PowerShell 2.0.  PS 3.0 has improved support for certificate management .  In either case, you would need to use PS Remoting for this to work with remote machines.
$store = New-Object System.Security.Cryptography.x509Certificates.x509Store("My","LocalMachine")
$store.Open("ReadWrite")
# Need some criteria here to filter the list of certificates appropriately
$certs = $store.Certificates | Where {$_.NotBefore -lt "7/20/2012"}
ForEach ($cert in $certs)
{
  $store.Remove($cert)
}
$store.Close()

Open in new window


A PS 3.0 version would be like
Get-ChildItem cert:\LocalMachine\My | Where {$_.NotBefore -lt "7/20/2012"} | Remove-Item -force -whatif

Open in new window

Here's a link to a related thread. http:Q_28015522.html#a38882045
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
That's correct,  footech, but requires that the cert be expired or revoked. Revoking a root is very hard indeed :(
0
 
LVL 1

Author Comment

by:wrenmott
Comment Utility
Hi guys -

I simply cannot find the option through group policy though I looked through it this morning.  The certificate in question was issued by our issuing cert server, not our our root, if that makes a difference.
0
 
LVL 39

Accepted Solution

by:
footech earned 250 total points
Comment Utility
@DaveHowe - He doesn't appear to be talking about a root certificate.

@wrenmott - You should see the setting like in the screenshot below.GP setting
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
Ok, that will work better then - I clearly misunderstood.
have to revoke all those certificates first, of course.
0
 
LVL 1

Author Closing Comment

by:wrenmott
Comment Utility
Hi guys -

In the end I split the points because you both not only provided valuable scripting guidance but also a nice clean GUI solution through GPOs which is what we'll end up doing.  For some reason going through a GPO rather than a script is less scary for the business even though we all know its essentially the same thing.

Cheers!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now