Hello Community,
I'm writing to ask for some information regarding Microsoft Certification Authority (CA) dismission.
Basically a brand new CA replaced an old one installed on member server (Windows Server 2008 R2); so now I have to dismiss it.
I read these useful articles:
- How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects (TechNet Wiki)
- How to decommission a Windows enterprise certification authority and remove all related objects (Microsoft Learn)
- Manually remove old CA references in Active Directory
Questions:
- Can you confirm: uninstalling Certificate Services from the server (removing Active Directory Certificate Services role) won't remove any Certificate Templates ? I know it is so but a double confirmation is really appreciated.
- Assume, for example, the server "hosting" old CA isn't available anymore; so I have to proceed to cleanup Active Directory manually. These are AD objects to remove (commonly listed by three articles above):
- certificateAuthority (AIA)
- crlDistributionPoint (CDP)
- certificationAuthority (Certification Authorities)
- pKIEnrollmentService (Enrollment Services)
- certificationAuthority (NtAuthCertificates)
The last article mentions an additional object: msPKI-PrivateKeyRecoveryAgent (KRI). I assume it should be removed too (because that object is referring to old CA), however a double confirmation is really appreciated.
Any other advice regarding CA dismission ?
Thank you,
Luca