Windows 2008 R2 Certificate Authority question regarding Computer Certs

I have an enterprise root CA 2008 R2 server issuing automatic computer and user certificates out to the domain. I would like to decommission the server they are coming from. We currently have another CA in our environment we would like to take it's place, on a domain controller. Ultimately I would like deploy a fresh enterprise root CA as a standalone for the domain (off of a DC).

My questions regarding this situation
1. It appears we have no real need for this CA at the moment, we do not use SSL for internal domain websites nor EFS for file shares. Could i effectively revoke and destroy all CA's in the environment? Am i missing something?
2. Is a CA required for basic domain functions?
3. if i cannot remove the CA, could i effectively revoke all the certificates and decommission the CA?
4. What is worse cast scenario if i destroy and revoke all certs?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
We currently have another CA in Is it also an enterprise root ca?
Best practice is that the enterprise root ca is not connected to the network but only used to issue a cert to an issuing CA .. The Root CA can be a virtual machine that is kept on a thumb drive that is stored in the company safe.

2. Is a CA required for basic domain functions? NO
3. if i cannot remove the CA, could i effectively revoke all the certificates and decommission the CA? Yes
4. What is worse cast scenario if i destroy and revoke all certs?
Anything that depends upon these valid certs will fail.  I would look at the issued certs first and determine if they serve a function.

Why was the CA created in the first place and why do you want to remove it?
PTCPAuthor Commented:
Thanks for the response!

The CA was created by a prior admin, and unfortunately our team has gone through a lot of scenarios on why it was created and what we may break, but it would appear the reason is no longer necessary, whatever it may have been.

The only cert that is issued which appears to be via Default Domain Policy in a GPO for 'allow users to select new root CA's to trust' is a computer cert that verifies identity to remote computers. What would a cert like this generally be used for? We have an Exchange 2010 server in our environment, could this be a reason?
PTCPAuthor Commented:
Also, you asked if this was an enterprise CA, yes indeed it is. If i were to decom this CA but kept a backup and didn't remove entries within ADSI, could I deploy a separate enterprise root ca, as opposed to a subordinate? Could two root CA's exist in one domain?
David Johnson, CD, MVPOwnerCommented:
yes you can have 2 root ca's but certs issued by one CA can't be validated / changed with the other root CA.  Therefore there is no reason to have more than 1 as it doesn't serve a purpose and only makes things more difficult to manage.  On a practical level your root CA as I stated before should always be offline except to issue a cert to an issuing CA.. the root CA holds the keys to the kingdom and must be highly protected.. you can add/revoke issuing CA's if they get compromised and the kingdom will not fall down. Otherwise you need to NUKE and burn and start from scratch. PKI is widely used by the industry both for encryption and also for authentication. The most visible to end users is for encryption but authentication is also very important.  People tend to forget the authentication part of a certificate.

Your policies are also very important for outside environments to trust your certificates. I may trust certs issued by one subordinate CA but not subordinates of that subordinate CA or only trust specific types of certs from the subordinate CA.

For instance to issue a code signing certificate we require 8 of 10 smart cards to be entered into our HSIM before the certificate is issued and only if the product manager(s) have signed off on the code and then the code is signed. OTOH, a machine certificate is self authenticated and automatically issued as long as the computer is a member of the domain. Same goes for a user certificate.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PTCPAuthor Commented:
Great information, thank you very much.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.