Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

PKI - Remove ENterprise Cerificate from all Servers/Workstations

Posted on 2013-05-30
10
432 Views
Last Modified: 2013-06-06
Hi All -

We recently setup a POC for certificate services in a ADDS 2008 R2 environment.  As part of it we rolled out a 'dummy' certificate which all servers and workstations auto-enrolled.  We would now like to remove this certificate from the certificate store of close to 1,000 machines.

What is the cleanest/easiest way to this?

Kind regards.
0
Comment
Question by:wrenmott
  • 4
  • 3
  • 3
10 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 39208226
its just a (negative) registry key.
Usually you should find each as entries in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates
(or sometimes
HKEY_LOCAL_MACHINE -or- HKEY_CURRENT_USER \SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
if they weren't installed by group policy)

the key name is the same as the certificate thumbprint; for example, on my host here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118

is the Certum CA with thumbprint 6252DC40F71143A22FDE9EF7348E064251B18118

now, a dot-reg file to remove that key entirely is the same as a normal, additive key but with a minus sign in front of the key name, so:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118]

Open in new window


working from that, you should be able to build a dot-reg file which, when pushed out to all nodes to run on login, will remove the key completely from the registry (and hence, the certificate from the machine). you *can* sorta push out registry keys by group policy, but its usually easier to just push out a dot-reg file :)
0
 
LVL 1

Author Comment

by:wrenmott
ID: 39208241
That verifies what I've seen elsewhere.  I was hopinh there was a magical 'revoke' button rather than rolling out a regkey enterprise wide.

If you know one comes up with anything better the points are yours!

Cheers for the clarification.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39208298
no, no magic. you could probably write a program to let you select a cert and generate the regkey you need, but given how rarely this comes up (and how simple technically the solution is, even if it means a bit of legwork finding the thumbprint in the registry first)  nobody ever had :)
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 40

Expert Comment

by:footech
ID: 39208549
I'm not 100% on this, but I thought it worked last time I tried.  There is a Group Policy setting under Windows Settings | Security Settings | Public Key Policies | Certificate Services Client - Auto-Enrollment Settings | "Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates".  With that enabled, if you revoke the issued certificate it should be removed.  Under Issued Certificates, you can Ctrl- or Shift- click to select multiple certs to revoke.
0
 
LVL 40

Expert Comment

by:footech
ID: 39208706
Also, here is some code to remove a certificate with PowerShell 2.0.  PS 3.0 has improved support for certificate management .  In either case, you would need to use PS Remoting for this to work with remote machines.
$store = New-Object System.Security.Cryptography.x509Certificates.x509Store("My","LocalMachine")
$store.Open("ReadWrite")
# Need some criteria here to filter the list of certificates appropriately
$certs = $store.Certificates | Where {$_.NotBefore -lt "7/20/2012"}
ForEach ($cert in $certs)
{
  $store.Remove($cert)
}
$store.Close()

Open in new window


A PS 3.0 version would be like
Get-ChildItem cert:\LocalMachine\My | Where {$_.NotBefore -lt "7/20/2012"} | Remove-Item -force -whatif

Open in new window

Here's a link to a related thread. http:Q_28015522.html#a38882045
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39210580
That's correct,  footech, but requires that the cert be expired or revoked. Revoking a root is very hard indeed :(
0
 
LVL 1

Author Comment

by:wrenmott
ID: 39210757
Hi guys -

I simply cannot find the option through group policy though I looked through it this morning.  The certificate in question was issued by our issuing cert server, not our our root, if that makes a difference.
0
 
LVL 40

Accepted Solution

by:
footech earned 250 total points
ID: 39211421
@DaveHowe - He doesn't appear to be talking about a root certificate.

@wrenmott - You should see the setting like in the screenshot below.GP setting
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39215760
Ok, that will work better then - I clearly misunderstood.
have to revoke all those certificates first, of course.
0
 
LVL 1

Author Closing Comment

by:wrenmott
ID: 39225771
Hi guys -

In the end I split the points because you both not only provided valuable scripting guidance but also a nice clean GUI solution through GPOs which is what we'll end up doing.  For some reason going through a GPO rather than a script is less scary for the business even though we all know its essentially the same thing.

Cheers!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question