Technology Tips and News
Hello,
I notice with every server and client machine in our organisation, that some how 2 root certificates (purpose: All) are getting added automatically.
These root certificates are already expired and not related to our current enterprise CA server.
I checked RSOP.html on client machine and or GPO's on DC, but could not figure out the source.
Any help greatly appreciated.
Thanks.
Hi,
Since these root certificates dont belong to your own CA, neither were published through Group Policy, then they could be added by Windows Root Certificate program.
More information for you:
Introduction to The Microsoft Root Certificate Program
Best Regards,
Thanks for your reply Amy,
Sorry, what I mean to say it does not belong to our current CA,
but they clearly are (self-signed) from our organisation.
How they are still getting distributed is unsure.
Hi,
You are welcome.
You may enable CAPI2 log to monitor certificate store operations, which is under Applications and Services Logs\Microsoft\Windows\CAPI.
After you enable CAPI2 log, delete those 2 root certificates, wait to see whether they will be added again. If they do, check CAPI2 log to find detailed information.
More information for you:
Enable CAPI2 event logging to troubleshoot PKI and SSL Certificate Issues
Best Regards,
Amy
Great. Thanks
I can see those 2 root certs under "Certification Authorities Container, CDP container and AIA Container"
So what does this means? does it means they were some old CA in our organisation from past?
and once I remove them from here, I understand they wont be further deployed to client - right?
Will I also need to run some script to get removed from all client machine.
This topic is archived. No further replies will be accepted.
Other recent topics
Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier