Checklist: Decommissioning a certification authority
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Checklist: Decommissioning a certification authority
Once a certification authority (CA) is configured and operating in an enterprise, it becomes an important security resource. The certification authority is required by existing clients to renew certificates, by new clients to issue certificates, and by users of certificates to verify the trustworthiness of issued certificates. If a CA is removed from an enterprise without following the appropriate procedure, functionality may be impaired and extensive cleanup work may be required to restore clients to functionality.
| Step | Reference | |
|---|---|---|
Perform a backup of the certification authority (CA) database to ensure recoverability of data at a later date. |
||
Deny all pending certificate requests currently stored on the CA. |
||
(Optional) Allow the Active Directory directory service to replicate the certificate denials and allow Group Policy to inform the clients that the certificate request is denied. The denied clients are then informed that their request was denied so they can remove the request from their list of outstanding requests. |
||
Revoke the CA's certificate from its parent CA. When revoking the CA certificate, specify the reason as "Cessation of Operation." |
||
Manually publish a new certificate revocation list (CRL) to ensure the CRL contains revocation information about the CA that was recently revoked. |
||
Uninstall the Certificate Services component. |
||
Remove remaining information about this CA from Active Directory. |
At a command prompt, type certutil.exe -dsdel CAName and press ENTER, where CAName is the name of the CA you are removing. |