[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Prevent Old CA Certificate from being distributed to Domain Clients

Posted on 2016-09-08
7
Medium Priority
?
35 Views
Last Modified: 2016-10-07
Hi,

I run a Server 2012 R2 Domain.

I had an issue that my original CA certificate that expires in 2021 did not have the crl url in it so I created a new CA certificate created CA certificate that expires in 2026.

in the Certificate Authority General tab I can see both certificates.

I need to stop the original certificate from being distributed to the Domain Clients as its causing errors on my S4B servers.

I have tried going into the MMC certificates snap in (where you can see both the Old and New CA certificate) and deleting the old CA certificate on a client computer - but it just gets re-added.

any help would be appreciated

many thanks

jack
0
Comment
Question by:jackbenson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 2000 total points (awarded by participants)
ID: 41789715
Okay... what I know.
There are two mechanisms thru which your trusted CA certificate is getting pushed to clients:
  1. Would be via Group Policy -- so you'd want to look thru the policies applied to your clients to make certain that isn't happening.
  2. Via certutil -dspubilsh.  In that case, I believe your certificate will be visible via ADSIEdit in Configuration,Services,Public Key Services, Certification Authorities.  Now, I fear -- that is the edge of my knowledge.  I suspect certutil -delstore is the best way to remove the old CA... but I don't know what impact manually deleting the CA Certificate might have.

In either case, fixing those will only prevent the client from receiving the CA on the local machine AGAIN after you remove them... it won't remove them.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 41817529
Original request was to stop the certificate from propagating to the client machines.  There are two ways the root certificate would be distributed to clients, and this answer addresses each.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 41832441
Adding additional information: This is the procedure to remove an Enterprise CA from an environment.  Steps 6 & 7 are of particular interest if your CA is being distributed from AD (rather than by group policy.)
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 1

Author Comment

by:jackbenson
ID: 41833143
I do not need to remove the Certificate Authority

I originally created the  Certificate Authority in 2011 and it created a CA Certificate.

that original CA Certificate did not have a crl so I created a new CA Certificate in 2016.

every time I delete the old CA Certificate from a domain client - it gets replaced.

its not group policy that is causing it.

I need to stop the client computers getting the 2011 CA Certificate

thanks

jack
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 41833470
I believe I understand.  If the certificate isn't propagated by a Group policy, then there are objects in AD which still exist from the Certificate Authority created in 2011.  Because an Enterprise Certificate authority writes objects into the Active Directory, I believe you need to run thru the Certificate Authority decommissioning steps for that certificate authority.  I believe the specific object that needs to be removed is the certificationAuthority object specifies as the third object in step 6 -- but I'd advocate you run thru all of steps 5 and 6 to clean up the old installation.
0
 
LVL 1

Author Comment

by:jackbenson
ID: 41833474
Rich,

can I check that you understand that I have not installed a new Certificate Authority - just a new certificate for the authority created in 2011

thanks

jack
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 41833497
Apologies.  Just step six then... there are two certificateAuthority objects which contain the old certificate.  It's the object in "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com. " which is causing that certificate to repopulate to your client machines... but be sure to only remove the 2011 certificate.

(And hopefully your new CA certificate isn't signed using the SHA1 algorithm.  Early next years, a fair amount of software will stop honoring certificates signed by CAs using SHA1.  Less of an issue for an internal CA, but could cause some software which checks to fail without a message.)
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question