Decommission old certificate authorities


I have the current scenario, a certificate deployment was done years ago as a root and subordinate. the root server crashed and burned years ago and was thrown away. Another NEW certificate root has been done and clients now use that. problem is, I still see that old server on the console, how to safely delete this from the whole environment?

Current deployment is on 2012 R2.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

infernumAuthor Commented:
The server (Root CA) is not available anymore.
Dave HoweSoftware and Hardware EngineerCommented:
You can remove it using a negative registry key and group policy (or a login script) - but it isn't required; having legacy key entries in the keystores is harmless.

Certificates are held in the registry, in a location dependent on how they were installed - machine wide certs are usually in either
or sometimes

and personal certs are invariably in

To locate an exact cert, you need its thumbprint. Consider for example "GPKIRootCA" (the root CA for the Korean government) - this has a thumbprint of:
20 cb 59 4f b4 ed d8 95 76 3f d5 25 4e 95 9a 66 74 c6 ee b2

hence can be found at:

A registry file as follows:


Open in new window

(note the minus sign before HKLM)
would delete this certificate from any machine it was "added" to. Similarly therefore, if you find the thumbprint of the cert you want to remove and search for that in the registry, you should be able to construct a registry entry to remove that cert completely.
infernumAuthor Commented:
Thanks Dave for the information. What I need to do is remove it from the certificates console, I dont want to see this dead server there anymore, I guess its active directory related. Any ideas?
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Dave HoweSoftware and Hardware EngineerCommented:
I am presumably missing some context here.

Certificates console (in my experience) is usually an mmc snapin that shows certificates in a specific keystore (it's handy if you want to look at other machines or other users than the default) - there is also (obviously) a CA snapin that similarly lets you configure and control the CAs you have on your network. Can you post a screenshot of what you are looking at, so I can get context?
infernumAuthor Commented:
Dave HoweSoftware and Hardware EngineerCommented:
OK, that's the CA snapin. There are a couple of cleanup steps you need to do; you need to find the applicable objects in AD (should be under
CN=Public Key Services,CN=Services,CN=Configuration,CN=Public Key Services,CN=Services,CN=Configuration
in the tree) and remove them - there will be a CA object, crl object and so forth - and you need to right click the CA object in the view posted and should have an option to remove it.
If you can open the old PKI in the MMC, you should remove first all extensions there (just makes it easier...

You can also add the Enterprise PKI to the MMC, If open the node, you may see some invalid Objects. They point to distribution point, revocation lists etc. Here you should see your valid Root Cert, one or two AIA points, one or two CDP points and tone or two delta CRL points from the working PKI. Also you see all old and possibly already invalid objects. After cleanup only the valid ones should be left over.

Now you can open the AD (AdsiEdit or I use ADExplorer from Sysinternals) and goto
Configuration - Services - Public Key Services....
The Key Certification Services show all registered PKI, here you can delete the old one...
Move to all other folders to delete the corresponding old distribution point, revocation points etc...

CDP (CRL Distribution Point)
Enrollment Service

Be carefully with KRA
here is the private Key recovery agent
delete them only, if here are no associated certificates outside anymore.

Do not touch
Certificate Template

As long as the new certificate Authority / Root certificate Name is not the same like the old one, I guess it is easy to identify the object by the names.
infernumAuthor Commented:
I am not sure which way to go either Bembi or Dave? OR is there any specific steps I should use? The certificates issues using this dead CA are already not in use and I rolled out new certs using a new CA. I just need to cleanly delete all related objects to that dead CA.
What Dave was talking about is the same procedure at the end...
What you still can delete via the MMC, delete it over the MMC if still available.

The remaining stuff you have to delete anyway from the AD.
If you open the AD folder described above, you see subfolders with the name of your old PKI. If you find them, delete the old PKI folder with all content.
Keep away from the other folders I told you above....

At the end, insert the Enterprise PKI snapin in your MMC and see, if there are still dead entries there.
I should be clean after cleaning up the AD folders.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.