Removing a Certificate Authority that was installed on a DC

jeff mcnabney 301 Reputation points

Have a 2012R2 DC that has a CA role installed, that is heading to decommission. Cannot uninstall the DC role until the CA role is removed. There are only 3 certificates issued on it, all for 3 existing DC's in AD, generated using the default DC template, one of which is this one for decommission. This CA apparently was only used to generate a local SSL certificate for an exchange server, and i am not 100% clear on exactly what the DC certificates are used for. I'm hoping to revoke the certificates but i have no idea what impact that will have on the two remaining DC's. Do the DC certificates auto-renew at expiration? I thought about migrating the CA to another server, but if it's not being used for the exchange anymore, what is the point in keeping it? The hardware has to go and it's one less thing to worry about. How should i approach the certificates for the DC's? If i revoke them, and begin removing the CA role, what can i expect to happen to the DC's? anything or nothing?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,782 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vadims Podāns 9,116 Reputation points MVP

    If there are only three ever issued certificates and they are DC certs, then you can safely decommission CA. No need to migrate, it is not used anymore. Here are instructions to decommission CA:

    0 comments No comments