<div>
Original request was to stop the certificate from propagating to the client machines. &nbsp;There are two ways the root certificate would be distributed to clients, and this answer addresses each.
</div>


<div>
Adding additional information: This is <a href="http://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx" rel="ugc nofollow">the procedure to remove an Enterprise CA from an environment</a>. &nbsp;Steps 6 &amp;&nbsp;7 are of particular interest if your CA is being distributed from AD (rather than by group policy.)
</div>


<div>
I do not need to remove the Certificate Authority<br />
<br />
I originally created the &nbsp;Certificate Authority in 2011 and it created a CA Certificate.<br />
<br />
that original CA Certificate did not have a crl so I created a new CA Certificate in 2016.<br />
<br />
every time I delete the old CA Certificate from a domain client - it gets replaced.<br />
<br />
its not group policy that is causing it.<br />
<br />
I need to stop the client computers getting the 2011 CA Certificate<br />
<br />
thanks<br />
<br />
jack
</div>


<div>
I believe I understand. &nbsp;If the certificate isn't propagated by a Group policy, then there are objects in AD which still exist from the Certificate Authority created in 2011. &nbsp;Because an Enterprise Certificate authority writes objects into the Active Directory, I believe you need to run thru the Certificate Authority decommissioning steps for <b>that</b> certificate authority. &nbsp;I believe the specific object that needs to be removed is the certificationAuthority object specifies as the third object in step 6 -- but I'd advocate you run thru all of steps 5 and 6 to clean up the old installation.
</div>


<div>
Rich,<br />
<br />
can I check that you understand that I have not installed a new Certificate Authority - just a new certificate for the authority created in 2011<br />
<br />
thanks<br />
<br />
jack
</div>


<div>
Apologies. &nbsp;Just step six then... there are two certificateAuthority objects which contain the old certificate. &nbsp;It's the object in &quot;CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Co<wbr />nfiguratio<wbr />n,DC=Fores<wbr />tRoot,DC=c<wbr />om. &quot;&nbsp;which is causing that certificate to repopulate to your client machines... but be sure to only remove the 2011 certificate.<br />
<br />
(And hopefully your new CA certificate isn't signed using the SHA1 algorithm. &nbsp;Early next years, a fair amount of software will stop honoring certificates signed by CAs using SHA1. &nbsp;Less of an issue for an internal CA, but could cause some software which checks to fail without a message.)
</div>


<div>
<div class="content wysiwyg-content">
Hi,<br />
<br />
I run a Server 2012 R2 Domain.<br />
<br />
I had an issue that my original CA certificate that expires in 2021 did not have the crl url in it so I created a new CA certificate created CA certificate that expires in 2026.<br />
<br />
in the Certificate Authority General tab I can see both certificates.<br />
<br />
I need to stop the original certificate from being distributed to the Domain Clients as its causing errors on my S4B servers.<br />
<br />
I have tried going into the MMC certificates snap in (where you can see both the Old and New CA certificate) and deleting the old CA certificate on a client computer - but it just gets re-added.<br />
<br />
any help would be appreciated<br />
<br />
many thanks<br />
<br />
jack
</div>
</div>


Hi,

I run a Server 2012 R2 Domain.

I had an issue that my original CA certificate that expires in 2021 did not have the crl url in it so I created a new CA certificate created CA certificate that expires in 2026.

in the Certificate Authority General tab I can see both certificates.

I need to stop the original certificate from being distributed to the Domain Clients as its causing errors on my S4B servers.

I have tried going into the MMC certificates snap in (where you can see both the Old and New CA certificate) and deleting the old CA certificate on a client computer - but it just gets re-added.

any help would be appreciated

many thanks

jack

Prevent Old CA Certificate from being distributed to Domain Clients

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Windows Server 2012

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.