Best Practice Decommissioning a Windows Domain Certificate Authority

What is the best practice in decommissioning a root certificate authority in a Windows domain environment? The root CA is self signed and running on a Windows Server 2012 R2 Standard virtual machine. It has pushed certs out to all of my domain controllers which makes me very nervous about revoking them and decoming the root CA. I haven't pushed any certs out via GPO nor have I installed any on anything of worth. I was about follow the directions found here but wanted to check in with the experts before doing so. Thanks for any help you all can provide.
Todd WilloughbyLead System EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Revoking own certificate using own (signed with same cert) CRL will suicide all certificate copies around....
btanExec ConsultantCommented:
The steps pretty standard the only means to decom a CA per se...but note the feedbacks from those tried out
I have a 2008 R2 CA and I too cannot process step 5 to view and delete the private key.
... My solution was to specify the -csp on the command line as well.

Issuing certutil -store and then identifying the certificate provider and subject from that before running the following:

certutil -csp "[Provider]" -delkey "[Subject]"
.... I suggest Step 5: should be changed to: certutil -csp "Microsoft Software Key Storage Provider" -key as this will list keys from the CSP defined on the command line.
If you have a single tier PKI, meaning Root CA to all the DC getting the cert from it and Root CA is running live since it is the only active CA to issue cert.  The impact of even the step 1 and 2 to revoke will break apps once the service and apps start to check the published CRL and find CA is need proper messaging and acceptance from all major stakeholder and system owner for such scale of rollout and changes, address their concern and find a suitable accepted slot to run this exercise. Always good to run thru staging on steps to see any potential repercussion ... in fact, this link stated to avoid one tier indirectly too
DON’T use Root CA to issue certificates directly to the end users.

DON’T install CA on a domain controller. It is technically possible, but not recommended. CA should run on a separate machine.

DO create multi-tiers architecture. For huge organizations, depending on Active Directory structure and amount of forests and domains, DO use 2 or 3-tier architecture.

DON’T domain join Root CA or Subordinate CA. Let those most important, top-level CAs stay in workgroup.

DON’T use online Root and Policy CAs, especially if it’s private keys are not protected by HSM (Hardware Security Module). Offline CAs hard drives or virtual disk files should be placed in a secure vault until a CA certificate needs to be issued or a new CRL needs to be issued and published.

DO create CA backup, including private key, CA certificate, certificate database and certificate database log, CAPolicy.inf file and exported CA templates.

If you have two tier PKI which is always been a better approach, the Root CA is mostly standalone not connected to network and issue it cert to Enterprise CA(s). The latter will then be the official one to issue the cert to the server and endpoint as required (or even to multi-tier using subordinate CAs). The impact of decom of Root CA should be lesser since it affect Enterprise CA(s) only, though it is likewise need to step through those mentioned steps...the server/endpoint will still Enterprise CA existence and not the Root CA as their chain of trust validation. See this "Grp 3" instead of the consideration for the exercise of redesigning PKI - (not much diff)

Overall, decom Root CA is no small matter and be prepared to rollback and have the data backup done esp on AD. If smartcard login is done do seek your card provider advice and any other precaution to take...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Trusts are valid if you delete master key.
You need to revoke it to destroy all signed keys.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

btanExec ConsultantCommented:
To add, I advice you explore these two article too.

"Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One"

"Moving Your Organization from a Single Microsoft CA to a Microsoft Recommended PKI"
If you need to migrate your organization from the Old And Busted CA to the New Hotness PKI, then the very first thing you should do is deploy the new PKI.

So you have your new PKI installed and you’re ready to migrate your organization over to it. How does one do that without impacting one’s organization too severely?

The first thing you’ll want to do is prevent the old CA from issuing any new certificates. You just uninstall it, of course, but that could cause considerable problems. What do you think would happen if that CA’s published CRL expired and it wasn’t around to publish a new one? Depending on the application using those certificates, they’d all fail to validate and become useless. Wireless clients would fail to connect, smart card users would fail to authenticate, and all sorts of other bad things would occur. The goal is to prevent any career limiting outages so you shouldn’t just uninstall that CA.

No, you should instead remove all the templates from the Certificate Templates folder using the Certification Authority MMC snap-in on the old CA. If an Enterprise CA isn’t configured with any templates it can’t issue any new certificates. On the other hand, it is still quite capable of refreshing its CRL, and this is exactly the behavior you want. Conversely, you’ll want to add those same templates you removed from the Old And Busted CA into the Certificate Templates folder on the New Hotness Issuing CA.

If you’re extremely sensitive to that kind of failure, however, then just add your templates to the New Hotness Issuing CA first, wait a day (or whatever your end-to-end replication latency is) and then remove those templates from the Old And Busted CA. In the long run, it won’t matter if the Old And Busted CA issues a few last minute certificates.
Todd WilloughbyLead System EngineerAuthor Commented:
We don't have any entities using the certificates that this root CA is issuing other than testing on a couple of local websites of no consequence. However, the root CA has issued certificates to all of our domain controllers and I need to know what effect it will have if I revoke those certs. Will it break our active directory infrastructure? As I said before, the root CA hasn't issued certs to any entities of consequence so nothing is depending on these certs for security or authentication. The certificate template type is domain controller (DomainController).
btanExec ConsultantCommented:
in short no as long as the Enterprise outstanding req task requiring from the Root CA is non existence for renewal etc. The template should be fine then. I do not see major impact then...but as shared the private key of the Root CA is best to backup as well...the steps should be fine to follow to make sure AD is updated accordingly to remove any old Root CA info.
Todd WilloughbyLead System EngineerAuthor Commented:
So if I revoke all of the certificates on the old root CA including the certs it issued automatically to my domain controllers, it won't cause any problems with AD or anything else? Keep in mind only test machines are using the certs from this root CA so it won't affect anyone except for the DCs. Sorry if I sound like a broken record but I want to be certain without a shadow of a doubt that decommissioning this root CA will not negatively impact my environment or users.
Todd WilloughbyLead System EngineerAuthor Commented:
Thank for you for the two tiered PKI recommendation.
btanExec ConsultantCommented:
not that I can anticipate since we are following the guidance of walked steps done also by others as well. the ctach is to monitor and have backup readily available if something crops up (which I do not foresee for the late records). Once the CRL publish and AD records updated, endpoint will re-sync again. I am also wearing a sceptic as such exercise is not trivial (in fact, once production is touched, nothing is trivial own own few cents worth)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.