Proper procedure to decommission CA?

The previous sysadmin (now my boss) installed the CS role and created a self-signed CA cert on a DC to "play" with it. I need to decommission the DC (WS2008) and replace it with WS2012R2 and we don't want to migrate the CA if we don't have to.

There are active EFS certs for a handful of users as well as DC certs for the remote DCs.

My research leads me to believe this is the correct process to safely remove it from the domain:

Use cipher.exe to determine if any user files are encrypted and decrypt if necessary
Follow Microsoft's instructions to uninstall CA (revoke certs, etc.)
Delete DC certificates from the DCs
Delete EFS certificates from the users' machines

Is this correct? Are there any other caveats?
mckenziesmithjAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
If you have certificates issued by the CA, you should backup/restore the CA as a VM.
The other option, you have to make sure those who use certificates issued by the CA, stop decrypting .............

And then do that. You can demote the DC while maintaining the CA role. Virtualize after (p2v).......
0
mckenziesmithjAuthor Commented:
It should've never been set up in the production environment the way it was, so migrating it unless absolute necessary is not desired. When we redo our server licensing next FY, we'll set up a CA hierarchy the correct way.

Both servers are virtualized (although we are changing from Xen to VMware); it's just not possible to do an in-place upgrade from WS2008 32-bit to WS2012R2 which is why we're migrating and decommissioning.
0
arnoldCommented:
I would suggest that you first make sure those who use certificate for EFS actually decrypt the files before the dicommisioning. export their certificates including private keys just in case something is overlooked.

Since you will be setting up a new setup, your only need now is to make sure you get the data off that will not be certificate/CA dependent).....

Is this question more or less a way to stop CA functionality to avoid having additional certificates..........
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mckenziesmithjAuthor Commented:
Yes, I was wanting to make sure I didn't overlook anything such as exporting certificates/private keys.

Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.