What is the impact of removing the Enterprise CA Role and issued certificates from a Windows AD domain that are now using third-party certificates?

Question

We have a relatively small Windows AD footprint built on Windows Server 2016 Domain Controllers that I initially setup using an Enterprise CA to generate DC certificates for enabling smart card logins on our Windows 10 devices. Recently, we were required to replace the self-issued certificates created through the Enterprise CA role with valid, signed third-party certificates. I have the new third party certificates installed across the board without any issues. However, I still have the Enterprise CA role installed, along with all of the certificates issued to the domain controllers from the Enterprise CA role.

As most of the DCs are remote, my primary concern is that removal of the Enterprise CA role or the certificates issued from it may result in a loss of trust in the domain that may prevent remote access/management. Is there any significant risk with removing the Enterprise CA role, as well as all of the certificates that were issued by the Enterprise CA now that I have the new certificates installed? Moving forward, we will only use third-party certificates, and I want to minimize the footprint as much as possible on the DCs.

Answer 1

Hello @Stephen ,

Thank you so much for posting here.

Before removing the enterprise CA role, please make sure that all certificates that are issued by this CA will not be used. As mentioned, we could log on to the CA server and check all the issued certificates.

If we make sure that all the issued certificates will not be used, we could then revoke all the certificate and decommission the CA. Otherwise, we need to configure the third party certificates to replace the issued certificates that will still be used.

Based on my experience, removing the Enterprise CA Role will have no impact on the domain trust. As we know, there is no certificate involved during the domain trust creation.

For the information about decommission a Windows enterprise CA, please refer to:
https://learn.microsoft.com/en-US/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

For any question, please feel free to post here.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

First of, I am not sure I follow what you mean by "Recently, we were required to replace the self-issued certificates created through the Enterprise CA role with valid, signed third-party certificates." certificates issued by a ADCS enterprise CA are valid. Maybe you mean that you had a root CA installed. And that's not good practice to have an online root CA. But all root CA have a self-signed certificate. Microsot or third party. That's how it is. And that's why it is not good to have it on an online machine...

Then, from an impact perspective it all depends on the certificates you already issued. You can connect to the ADCS administration console and see what certificates were issued and when they expire. You should also consider stopping publishing templates to make sure you are not issuing new certiticates during that transition.

DCs will typically use the enterprise CA to get certificates they can use mostly for LDAPs. You can replace them with third party certificates too, see here: https://support.microsoft.com/en-us/topic/b76c99f3-a1b1-adee-3640-5c0f530f20e0.

By default, there are no CA certificates automatically issued for RDS or WinRM. Thus remote administration should not be affected at all. But you might have configured certificates for RDS, but in that case you will see them in the DC store as well as in the issued certificates sections in the ADCS console.