This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 30%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Removing CA on retiring server 12r2 DC. There are 4 certificates with outstanding expirations pending in 2022/2023. One webcert for an exchange server that is using a separate 3rd party ssl certificate for all its services, however the certificate is still installed on the server itself with some services, even though the 3rd party is the primary one. Can i revoke that cert? Will it force the exchange server to spit up error messages, or should i remove it from the Exchange server first? Then there are three certs for each of the existing domain controllers, including the one to be retired. If i revoke all the certs, what side effects might they have on the DC's? Anything?
I've never been sure what they are required for on DC's in this circumstance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
From Exchange server side, I would suggest you firslty check this link which introduced about How to Remove an SSL Certificate from Exchange Server 2013, check the services binded to your CA certificates.
Set the parameter -Services None to your CA certificates to see if they affect your Exchange service, make sure you could completely replace/get rid of these certificates then remove them. And then you can decomission your CA.
And I also find an official document here gives steps How to decommission a Windows enterprise certification authority and remove all related objects for your reference.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
The Exchange side i will deal with. My bigger concern is the 3 certificates that are issued to the 3 domain controllers. Does AD automatically create and assign these? We have never used the CA for anything except signing certs for Exchange, which we no longer do, and would like to remove the service entirely, since the hardware is being retired. What do i do about the certificates issued to the domain controllers? What are they being used for and can i revoke them safely to decommission the device?
I totally understand your concern, however your question now is more related to windows server and AD, so I would add the related tags to your thread and the engineers there will give you professional support.
Thanks for your understanding!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 79%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hello @jeff mcnabney ,
If you have deployed your certificate authority using the default configuration in term of certificate template it is normal that you have some certificates deployed on your domain controller. You can have more information in links below :
https://social.technet.microsoft.com/Forums/windowsserver/en-US/87667cb8-dfab-4835-9733-b2d968ae8f3c/domain-controller-template-autoenrolled-by-dc?forum=winserversecurity
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki
You can revoke these certificates and remove the template from the issuing list but you have to be sure that these domain controllers are not doing anything else than being domain controller