What is the best practice in decommissioning a root certificate authority in a Windows domain environment? The root CA is self signed and running on a Windows Server 2012 R2 Standard virtual machine. It has pushed certs out to all of my domain controllers which makes me very nervous about revoking them and decoming the root CA. I haven't pushed any certs out via GPO nor have I installed any on anything of worth. I was about follow the directions found here
but wanted to check in with the experts before doing so. Thanks for any help you all can provide.