I've been experimenting with the Active Directory Certificate Services on Server 2008 Enterprise, along with the Network Device Enrollment Service, and just noticed a buildup of certificates when using the Certificates snap-in for mmc.exe. I'm speaking of certs in Personal -> Certificates, Trusted Root Certification Authority -> Certificates, Intermediate Certification Authority -> Certificate Revocation Authorities, and Intermediate Certification Authority -> Certificates. There are a number of certs that either include the machine name, include a name that obviously references my company, or both. This is strictly a test server and no clients rely on it for anything. I'd like to strip out all the certificates that don't need to be here, but can't find a guide that explains what is what. For example, I see several certs with names containing my company's name, followed by "Enterprise". I'm thinking I should keep these? Or were they installed with AD CS, and would be reinstalled if I removed and re-added this service? I see some with MSCEP in the name, and am fairly certain these are tied to the Network Device Enrollment Service. I see others that appear in pairs, and with the same date/time stamp. The only difference is that one has a key as part of its icon. Private key and root certificate pairs? And what about the other certs? If someone can point me to a guide that explains what everything is, that's really all I need. (The built-in help wasn't so helpful, and I haven't been able to find any useful docs online.) Or if you can give a brief explanation here, I'd be very appreciative. In general then, assuming I'm reinstalling the AD CS components, which certs can be deleted?? Thanks! Todd

I read this a year and a half or so ago and it helped a bit, but it is not free... http://www.amazon.com/Windows-Server-Certificate-Security-PRO-Other/dp/0735625166/ref=sr_1_1?ie=UTF8&s=books&qid=1281149205&sr=8-1 What have you read so far, we might be able to point you to some other stuff. The certificates that have your company name in them will be regenerated if you reinstall ADCS (these are the steps involving creation of the private key, specifying the length and cryptographic service provider, and creating the root/subordinate CA certificate). The ones with the key indicate that you have a private key for the certificate. If you open the properties you will see "You have a private key that corresponds to this certificate." For me (I have a standalone CA installed right now), the certificate with the private key attached is for the server and has the "Server Authentication" EKU. The CA cert does not have the private key attached to the certificate, but it is present on the machine for signing purposes (see http://msdn.microsoft.com/en-us/library/aa375596%28VS.85%29.aspx ). The other certificates in the "Trusted Root Certification Authorities" store are issued by Microsoft or as part of their Microsoft Root Certificate Program, http://technet.microsoft.com/en-us/library/cc751157.aspx You can remove these, but you will potentially run into issues accessing websites secured by SSL, installing updates and authenticating signed software. These are all signed with a certificate whose chain ends at one of the trusted CAs (oddly enough, not necessarily Microsoft, the certificate for obtaining System Center Operations Manager Management Packs ends at GTE CyberTrust Global Root). -- Mike Burr

Thanks for the tips, Mike. It's late right now, and I'll re-read your reply and perhaps post more tomorrow. I use OpenSSL a lot and feel like I have a good, general understanding of PKCS...but not from a Windows Server perspective. My biggest issue is making sure that if I delete any certs that either reference the computer name or reference my company's name, that I won't be killing the server. The "Enterprise" certs, in particular. The rest I can probably figure out if I pay closer attention (hopefully). Thanks again, Todd

I've just started re-examining this. I uninstalled all parts of Active Directory Certificate Services (and IIS) and then deleted all certificates on the server that contained the machine name or any reference to my company. Then I reinstalled just the Certificate Authority portion of ADCS. Reinstalling created one Personal Certificate entry, two entries in Trusted Root Certificate Authority, two entries in Intermediate Certificate Authorities -> CRL, and one entry in Intermediate Certificate Authorities -> Certificates. The "Enterprise" certs were not remade...but either a number of reboots or a certain amount of time later, they returned, along with two more Root Certificates and two more Intermediate Certificates. (I suppose the Root and Intermediate areas always mirror each other?) The Enterprise certs, too. The Enterprise certs seem important (still not sure what they do), but automated processes like this frustrate me. I've noted the PKI and Certificate Authority book on Amazon, but if anyone can point me to a free web tutorial somewhere, I'm just trying to figure out what these certificate and certificate-related entries are used for. Case in point: the two root certificates that appeared after reinstalling ADCS. One has a key icon and the other doesn't, but viewing each certificate's properties, neither ever contains the text "You have a private key that corresponds to this certificate" on the General tab. Exporting each, the certificate with the key icon randomly gives me an option to export the private key. Other times it is treated as a simple X509 cert, with no PKCS12 export option. I'm assuming it isn't supposed to work this way? Any clarifications would be most appreciated! (If this reply doesn't bump my thread to the top, I shall start a new one... :)