Decommissioning CA - will removing role delete Trusted Root Certificate and Trusted Intermediate Certificates?

Question

Decommissioning CA - will removing role delete Trusted Root Certificate and Trusted Intermediate Certificates?

Gregg Hughes 291

Good morning, all!

I'm nearing the end of decommissioning an old Enterprise CA in favor of a new two-tier infrastructure. Question: if I uninstall the role from the old CA server, does that automagically delete the old CA certificates from Trusted Root Certificates and Trusted Intermediate Certificates in all domain certificate stores? Or will I still have the old certs in the Trusted stores to clean up as needed?

The autoenroll certificates have already been replaced, will manually-enrolled certificates remain in the Personal store after decommissioning the CA that issued them?

Thanks!

Gregg Hughes 291 Reputation points

2021-04-02T19:01:59.373+00:00

Update - I tried this in a lab environment and in that environment removing the CA role DID remove the certs from the Intermediate and Trusted Root containers. Can anyone confirm?
Gregg Hughes 291 Reputation points

2021-04-02T19:41:22.16+00:00

Addendum - the procedure removed certificates from domain controllers but not from member servers. Interesting.....
Anonymous

2021-04-05T06:33:14+00:00

Hi,
Did you follow the steps in the following link?
From the research, we need to remove the certificates issued by the CA manually after remove the ADCS from the DCs.
https://learn.microsoft.com/en-US/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

I will do a lab in my lab ,un-install the CA role, and check the result.
I will update here!

Best Regards,

Accepted answer

0 additional answers

Your answer

Gregg Hughes 291 Reputation points

2021-04-02T19:01:59.373+00:00

Update - I tried this in a lab environment and in that environment removing the CA role DID remove the certs from the Intermediate and Trusted Root containers. Can anyone confirm?
Gregg Hughes 291 Reputation points

2021-04-02T19:41:22.16+00:00

Addendum - the procedure removed certificates from domain controllers but not from member servers. Interesting.....
Anonymous

2021-04-05T06:33:14+00:00

Hi,
Did you follow the steps in the following link?
From the research, we need to remove the certificates issued by the CA manually after remove the ADCS from the DCs.
https://learn.microsoft.com/en-US/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

I will do a lab in my lab ,un-install the CA role, and check the result.
I will update here!

Best Regards,

Answer 1

Anonymous

Hi,
I completed the remove operation.
As you mentioned the root certificate on the DC in both the Trusted Root Certificate and Trusted Intermediate Certificates will be removed.

The root certificates on the domain member in the Trusted Intermediate Certificates will be removed too, but certificate in the Trusted Root Certificate will be kept.(Only the first CA certificate will be kept, if you renewed the ca and have some renewed CA certificates , they will be removed.)

Best Regards,

Gregg Hughes 291 Reputation points

2021-04-08T12:38:29.22+00:00

Thanks for the confirmation! I didn't look that closely at the renewed certs; this is a sandbox and doesn't get a lot of traffic.

g

Share via

Decommissioning CA - will removing role delete Trusted Root Certificate and Trusted Intermediate Certificates?

0 additional answers

Your answer