Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,726 questions
How to remove a Certificate from CA Authority?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 52%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Mayckel TS
21
Reputation points
We have a Domain Certification Authority on Windows Server 2019 DC.
First, I have raised the hash algorithm from SHA1 to SHA256 and then renewed the root certificate with the new hash.
Second, I revoked the old SHA1 certificate. But then I noticed that this old certificate is still being deployed to the domain client computers. How can I prevent the old SHA1 certificate of being deployed or remove it from the CA database so I will only have the new SHA256 certificate?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 33%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Mario Borovčak 0 Reputation points2023-09-12T14:43:31.5+00:00 This is One-Tier Hierarchy? You published new certificate revocation list after revoking certificate? Are you deploying certificates with Group Policy?
-
Mayckel TS 21 Reputation points
2023-09-22T14:37:01.8066667+00:00 That is only One Tier-Hierarchy. I published a new CRL. And also I did not found any GPO deploying that certificate. But still I get that revoked SHA1 certificate being deployed to client machines.
Maybe I could remove it from the PKI View console...
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 28.999999999999996%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
poliveirasilva-MSFT 86 Reputation points Microsoft Employee2023-09-25T17:18:30.93+00:00 Check if CA certificate is still present on PKI configuration partition. Go to PKIView.msc, rigth-click on it and select Manage AD Container. Keep in mind that if you remove trusted cert from clients you may broke applications still relying on it.
Sign in to comment
Sign in to answer