[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

PKI - Remove ENterprise Cerificate from all Servers/Workstations

Posted on 2013-05-30
10
Medium Priority
?
439 Views
Last Modified: 2013-06-06
Hi All -

We recently setup a POC for certificate services in a ADDS 2008 R2 environment.  As part of it we rolled out a 'dummy' certificate which all servers and workstations auto-enrolled.  We would now like to remove this certificate from the certificate store of close to 1,000 machines.

What is the cleanest/easiest way to this?

Kind regards.
0
Comment
Question by:wrenmott
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 1000 total points
ID: 39208226
its just a (negative) registry key.
Usually you should find each as entries in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates
(or sometimes
HKEY_LOCAL_MACHINE -or- HKEY_CURRENT_USER \SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
if they weren't installed by group policy)

the key name is the same as the certificate thumbprint; for example, on my host here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118

is the Certum CA with thumbprint 6252DC40F71143A22FDE9EF7348E064251B18118

now, a dot-reg file to remove that key entirely is the same as a normal, additive key but with a minus sign in front of the key name, so:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118]

Open in new window


working from that, you should be able to build a dot-reg file which, when pushed out to all nodes to run on login, will remove the key completely from the registry (and hence, the certificate from the machine). you *can* sorta push out registry keys by group policy, but its usually easier to just push out a dot-reg file :)
0
 
LVL 1

Author Comment

by:wrenmott
ID: 39208241
That verifies what I've seen elsewhere.  I was hopinh there was a magical 'revoke' button rather than rolling out a regkey enterprise wide.

If you know one comes up with anything better the points are yours!

Cheers for the clarification.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39208298
no, no magic. you could probably write a program to let you select a cert and generate the regkey you need, but given how rarely this comes up (and how simple technically the solution is, even if it means a bit of legwork finding the thumbprint in the registry first)  nobody ever had :)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 41

Expert Comment

by:footech
ID: 39208549
I'm not 100% on this, but I thought it worked last time I tried.  There is a Group Policy setting under Windows Settings | Security Settings | Public Key Policies | Certificate Services Client - Auto-Enrollment Settings | "Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates".  With that enabled, if you revoke the issued certificate it should be removed.  Under Issued Certificates, you can Ctrl- or Shift- click to select multiple certs to revoke.
0
 
LVL 41

Expert Comment

by:footech
ID: 39208706
Also, here is some code to remove a certificate with PowerShell 2.0.  PS 3.0 has improved support for certificate management .  In either case, you would need to use PS Remoting for this to work with remote machines.
$store = New-Object System.Security.Cryptography.x509Certificates.x509Store("My","LocalMachine")
$store.Open("ReadWrite")
# Need some criteria here to filter the list of certificates appropriately
$certs = $store.Certificates | Where {$_.NotBefore -lt "7/20/2012"}
ForEach ($cert in $certs)
{
  $store.Remove($cert)
}
$store.Close()

Open in new window


A PS 3.0 version would be like
Get-ChildItem cert:\LocalMachine\My | Where {$_.NotBefore -lt "7/20/2012"} | Remove-Item -force -whatif

Open in new window

Here's a link to a related thread. http:Q_28015522.html#a38882045
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39210580
That's correct,  footech, but requires that the cert be expired or revoked. Revoking a root is very hard indeed :(
0
 
LVL 1

Author Comment

by:wrenmott
ID: 39210757
Hi guys -

I simply cannot find the option through group policy though I looked through it this morning.  The certificate in question was issued by our issuing cert server, not our our root, if that makes a difference.
0
 
LVL 41

Accepted Solution

by:
footech earned 1000 total points
ID: 39211421
@DaveHowe - He doesn't appear to be talking about a root certificate.

@wrenmott - You should see the setting like in the screenshot below.GP setting
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39215760
Ok, that will work better then - I clearly misunderstood.
have to revoke all those certificates first, of course.
0
 
LVL 1

Author Closing Comment

by:wrenmott
ID: 39225771
Hi guys -

In the end I split the points because you both not only provided valuable scripting guidance but also a nice clean GUI solution through GPOs which is what we'll end up doing.  For some reason going through a GPO rather than a script is less scary for the business even though we all know its essentially the same thing.

Cheers!
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question