Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, August 7, 2015 9:39 AM
Hello -
I created an offline Root CA running in Server Core 2012 R2 and did a certutil -dspublish with it. I subsequently realized I had a misspelling, so created another Server Core 2012 R2 instance of an offline Root CA.
I would like to remove the first Root CA from AD so the cert does not get published to every machine in the domain.
I didnt see something equivalent to -dsremove. Is this possible?
The cert has not been compromised, its just ugly to be in all the machines root stores.
All replies (3)
Saturday, August 8, 2015 11:15 AM ✅Answered
On Fri, 7 Aug 2015 09:39:43 +0000, Joe Daigle wrote:
I would like to remove the first Root CA from AD so the cert does not get published to every machine in the domain.
I didnt see something equivalent to -dsremove. Is this possible?
If you have an Enterprise issuing CA, run pkiview.msc on it. Right-click
the Enterprise PKI node, select Manage AD Containers.
Paul Adare - FIM CM MVP
Sunday, August 9, 2015 6:18 PM ✅Answered | 1 vote
Also, if your Root CA is a standalone and offline root CA, server core isn't going to provide any benefits. In fact, some of the management you may want to do is more difficult. Server Core is great for server roles with exposure to environments where possible Windows attack surfaces should be eliminated. It is also helpful for reduced resource environments. For the added complexity and issues, I generally recommend NOT using server core in a traditional offline root CA.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com
Tuesday, March 12, 2019 1:25 AM
While this is an old question, if anyone wants to know how delete enterprise published certs without PKIVIEW.msc (although you could install it via the Certificate Authority RSAT tools), you can use ADSIEDIT.
Root CA certs are published in the Configuration container, underneath "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,[DomainDN]".
Connect to the Configuration naming context in ADSIEDIT, and navigate to that folder. The certificates can be found in there, listed by their CNs. Just delete the correct objects.
Also, there will be a cross-certificate published in the AIA folder, so delete them from there as well.