I have a enterprise subordinate root server that only has 3 certificates that are active. I would like to decommission it. I have read through the article on decommissioning as well as the 2008 certificate migration guide yet I not sure I understand what stops a CA from issuing certificates. I have posted before and am trying to decide whether I want to migrate the enterprise root to 2008 or start over but since the enterprise subordinate only has 3 active certificates it would be easy to just decommision it and create new issuing subordinate CAs on my 2008 R2 servers. I have stopped auto-enrollment in AD so I think the only way that the existing enterprise CA would issue a certifiacte would via a request to the CA. From what I have read it seems that I need to extend the lifetime of the CRL, revoke the active certificates, and then issue a new CRL. I should then be able to follow through the balance of the process and decommission the CA, decommision the domain controller the CS is running on, and then remove the server from the domain. But what actualy stops an installed CA from issuing certificates? eburch@lasertel.com

The easiest way is to remove all assigned templates from the CA. In the Certification Authority MMC snap-in select Certificate Templates folder and remove all templates. And you can leave CA in operational state to publish new CRLs. After that you can start decomission process.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

And if remember correctly there is no reason to revoke expired certificates since they are not trusted by default. Thx as always for the help.eburch@lasertel.com

Yes, it is not necessary to revoke them.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki