Hello We set up a CA some time ago which was never used. Today I have come to look at switching the servers off however in the Issued certificates container all our domain controlelrs are showing as having an active certificate. firstly, we havent configured them to use certificates so why have they registered with the authority automatically? Secondly, can we safely switch these servers off without performing the decomissioning steps? We don't want to uninstall this incase we want to use it in the future however we would like to power it off and archive the server. Can anyone advise me if this is safe? I don't want to cause problems with our active directory domain by doing this. Many thanks.

prior to this you must decomission existing CA servers as follows: http://support.microsoft.com/kb/889250http://en-us.sysadmins.lv

Thanks for the reply. I have seen that article but thats not what I am asking. I am asking if I can switch off the servers without causing an issue with my domain controllers as I can see that they have autoenrolled and got a certificate fomr this server. Many thanks.

On Mon, 28 Feb 2011 19:26:00 +0000, Aeropars wrote: Thanks for the reply. I have seen that article but thats not what I am asking. I am asking if I can switch off the servers without causing an issue with my domain controllers as I can see that they have autoenrolled and got a certificate fomr this server. You don't really have to decommission your CA(s) however you will need to delete all of the certificates that have been issued to your domain controllers. If you don't do this, eventually you will start to have problems as the DCs will not be able to source a valid certificate revocation list (since the CA(s) are no longer publishing CRLs). To delete the certificates run: certutil -dcinfo deleteall Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca I am a computer -- dumber than any human and smarter than an administrator.

Many thanks for the reply. I'm not an expert on certificate services so I just have a couple of questions. Why did the domain controllers auto enrole with the certificate service? So if I revoke all of the certificates the domain controllers will stop using certificate services and will continue to work as normal? I'm a little nervous about doing this as I dont know too much about how DC's utilise certificates in this scenario. Thanks for your help so far.

> Why did the domain controllers auto enrole with the certificate service? they enroll them for LDAPS usage and to handle certificate-based authentication (client certificate and smart card logon). > So if I revoke all of the certificates the domain controllers will stop using certificate services and will continue to work as normal? yes, except mentioned LDAPS and certificate-based authentication (if were configured).http://en-us.sysadmins.lv

Thanks. We havent configured anything to use this CA so thats why I was surprised to see that the domain controllers have enrolled with it. So providing we haven't configured anything to use certificates then we can just revoe the DC certificates and the DC's will work as expected? I just want to be sure that this doesnt cause the domain any problems. I'm certain nothing was set up to use certificates.

I suggest to you to have a look to this Microsoft link named "Removing Domain Controller Certificates". Link: http://technet.microsoft.com/en-us/library/cc783979(WS.10).aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Can anyone advise me if this is safe? Please be aware that the a Issuing CA's keypairs are valid to to impersonate any user (including domain admins) or computer account since the keypais are trusted in the NTAuth Certificates container. Please be very carefull were you place your CA keys. A general advice from me is to handle your physical security for Issuing CA's the same way you handle it for your domain controllers. // Fredrik "DXter" Jonsson Senior Security Engineer Infrastructure Management Consulting Services - Steria AB Blog: http://www.poweradmin.se

I'm sorry. I dont understand how this related to switchin off 2 servers which are CAs. Could you please explain? If you referr to my previous posts, security is not a problem as these have never been used for anything. It was indended they would be used but we went in another direction and now they are not needed. I want to know if i revoke the certificates and switch the servers off am I likely to experience any problems. I'm concerned the answers are getting a little over complex.

If a hacker gets his hands on the key pairs of an Enterprise CA, that hacker could make himself a domain admin by simply issue a certificate for Administrator and then impersonate him by using that certificate. The CA is trusted in Active Directory to guarantee and validate the digital identity of the users and computers. If a hacker can control the key pairs an Enterprise CA, he can issue a certificate for Administrator to himself and identify himself as that user. // Fredrik "DXter" Jonsson - http://www.poweradmin.se

Ah, I understand what your saying. By switching the CA off though, wouldnt that be secure enough? I understand you would normally switch off the root CA for security.

Store your CA (and its keys) in a very secure location with high physical security, with no access for unauthorized people.// Fredrik "DXter" Jonsson - http://www.poweradmin.se

decomission the CA server properly weather or not you installed it and planned on using it, certs have been issued out, and will be expiring