Dismiss old Microsoft Certification Authority (CA)

Luca Fabbri 156 Reputation points
2020-10-15T10:33:31.327+00:00

Hello Community,
I'm writing to ask for some information regarding Microsoft Certification Authority (CA) dismission.

Basically a brand new CA replaced an old one installed on member server (Windows Server 2008 R2); so now I have to dismiss it.
I read these useful articles:

  1. How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects (TechNet Wiki)
  2. How to decommission a Windows enterprise certification authority and remove all related objects (Microsoft Learn)
  3. Manually remove old CA references in Active Directory

Questions:

  1. Can you confirm: uninstalling Certificate Services from the server (removing Active Directory Certificate Services role) won't remove any Certificate Templates ? I know it is so but a double confirmation is really appreciated.
  2. Assume, for example, the server "hosting" old CA isn't available anymore; so I have to proceed to cleanup Active Directory manually. These are AD objects to remove (commonly listed by three articles above):
    • certificateAuthority (AIA)
    • crlDistributionPoint (CDP)
    • certificationAuthority (Certification Authorities)
    • pKIEnrollmentService (Enrollment Services)
    • certificationAuthority (NtAuthCertificates)

The last article mentions an additional object: msPKI-PrivateKeyRecoveryAgent (KRI). I assume it should be removed too (because that object is referring to old CA), however a double confirmation is really appreciated.

Any other advice regarding CA dismission ?

Thank you,
Luca

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,894 questions
0 comments No comments
{count} votes

Accepted answer
  1. Luca Fabbri 156 Reputation points
    2020-10-15T14:37:02.427+00:00

    Hello Community,
    I answer to (my) questions by myself:

    1. Yes, I can confirm: uninstalling Certificate Services from the server (removing Active Directory Certificate Services role) won't remove any Certificate Templates because this task is treated separately in dismission procedure (see articles in opening post).
    2. Even if first two articles doesn't mention about the object msPKI-PrivateKeyRecoveryAgent (KRI), however this object will be removed after section Remove all Certification Services objects from Active Directory > point 12 completion.

    Thank you,
    Luca

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.