• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 450
  • Last Modified:

PKI - Remove ENterprise Cerificate from all Servers/Workstations

Hi All -

We recently setup a POC for certificate services in a ADDS 2008 R2 environment.  As part of it we rolled out a 'dummy' certificate which all servers and workstations auto-enrolled.  We would now like to remove this certificate from the certificate store of close to 1,000 machines.

What is the cleanest/easiest way to this?

Kind regards.
0
wrenmott
Asked:
wrenmott
  • 4
  • 3
  • 3
2 Solutions
 
Dave HoweSoftware and Hardware EngineerCommented:
its just a (negative) registry key.
Usually you should find each as entries in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates
(or sometimes
HKEY_LOCAL_MACHINE -or- HKEY_CURRENT_USER \SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
if they weren't installed by group policy)

the key name is the same as the certificate thumbprint; for example, on my host here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118

is the Certum CA with thumbprint 6252DC40F71143A22FDE9EF7348E064251B18118

now, a dot-reg file to remove that key entirely is the same as a normal, additive key but with a minus sign in front of the key name, so:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118]

Open in new window


working from that, you should be able to build a dot-reg file which, when pushed out to all nodes to run on login, will remove the key completely from the registry (and hence, the certificate from the machine). you *can* sorta push out registry keys by group policy, but its usually easier to just push out a dot-reg file :)
0
 
wrenmottAuthor Commented:
That verifies what I've seen elsewhere.  I was hopinh there was a magical 'revoke' button rather than rolling out a regkey enterprise wide.

If you know one comes up with anything better the points are yours!

Cheers for the clarification.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
no, no magic. you could probably write a program to let you select a cert and generate the regkey you need, but given how rarely this comes up (and how simple technically the solution is, even if it means a bit of legwork finding the thumbprint in the registry first)  nobody ever had :)
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
footechCommented:
I'm not 100% on this, but I thought it worked last time I tried.  There is a Group Policy setting under Windows Settings | Security Settings | Public Key Policies | Certificate Services Client - Auto-Enrollment Settings | "Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates".  With that enabled, if you revoke the issued certificate it should be removed.  Under Issued Certificates, you can Ctrl- or Shift- click to select multiple certs to revoke.
0
 
footechCommented:
Also, here is some code to remove a certificate with PowerShell 2.0.  PS 3.0 has improved support for certificate management .  In either case, you would need to use PS Remoting for this to work with remote machines.
$store = New-Object System.Security.Cryptography.x509Certificates.x509Store("My","LocalMachine")
$store.Open("ReadWrite")
# Need some criteria here to filter the list of certificates appropriately
$certs = $store.Certificates | Where {$_.NotBefore -lt "7/20/2012"}
ForEach ($cert in $certs)
{
  $store.Remove($cert)
}
$store.Close()

Open in new window


A PS 3.0 version would be like
Get-ChildItem cert:\LocalMachine\My | Where {$_.NotBefore -lt "7/20/2012"} | Remove-Item -force -whatif

Open in new window

Here's a link to a related thread. http:Q_28015522.html#a38882045
0
 
Dave HoweSoftware and Hardware EngineerCommented:
That's correct,  footech, but requires that the cert be expired or revoked. Revoking a root is very hard indeed :(
0
 
wrenmottAuthor Commented:
Hi guys -

I simply cannot find the option through group policy though I looked through it this morning.  The certificate in question was issued by our issuing cert server, not our our root, if that makes a difference.
0
 
footechCommented:
@DaveHowe - He doesn't appear to be talking about a root certificate.

@wrenmott - You should see the setting like in the screenshot below.GP setting
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Ok, that will work better then - I clearly misunderstood.
have to revoke all those certificates first, of course.
0
 
wrenmottAuthor Commented:
Hi guys -

In the end I split the points because you both not only provided valuable scripting guidance but also a nice clean GUI solution through GPOs which is what we'll end up doing.  For some reason going through a GPO rather than a script is less scary for the business even though we all know its essentially the same thing.

Cheers!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now