Multiple Enterprise Root Certificates on a Single CA
hello everyone, I have simple test network running with multiple servers and clients on hyper-v box. I installed CA on server 2003 virtual box and I remove the CA imidiately. after servel days I installed CA on the same machine with the different Enterprise Root Certificate name. Now, I have two Enterprise root certificates distributed on all my client and server machine via group policy. Is there anyway I can uninstall or delete the old Enterprise Root Certificate from the Certificate Authoriy and How? Thanks...
June 14th, 2010 1:10am
Hi , when you install the CA and issue the certificates to the clients , then later remove the CA , you have to revoke the issued certificates to the clients. follow the below article http://support.microsoft.com/kb/889250
June 14th, 2010 6:28am
I removed the CA immediately after I installed, I didn’t issued any certificates to the client first time I installed the CA. After week later I reinstall CA on the same machine with different Enterprise Root Certificate name, and then I issued certificates to the clients. Now all clients have two “trusted root certificate authorities” certificates for the old CA installed before and the current one, because CA server still contains private key for both enterprise root certificates. I would like to remove the old Enterprise Root Certificate from the CA so it will not distribute old Enterprise Root Certificate to all clients in “trusted root certificates authorizes” certificate store.
June 15th, 2010 11:48pm
Hi, When you removed the CA, did you follow the KB article mentioned by Sainath? When we install an enterprise CA, a lot of CA objects are created in the configuration container in Active Directory. Therefore, if you removed the CA role without following the steps, some objects may not be removed successfully. If you have verified that the objects have been removed, you can simply remove the old CA certificate from the Trusted Root Certification Authorities store on the client computers.This posting is provided "AS IS" with no warranties, and confers no rights.
June 17th, 2010 6:15am
Hi, How are you? We've not heard back from you in a few days and wanted to check if you need further assistance. If there is anything unclear, please feel free to respond back. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.
June 21st, 2010 4:11am
sorry for delayed response, I did not follow the KB article mentioned by sainath. Is there any way to correct this problem after I reinstalled CA on the same machine? any help would be appreciated. I still see two Enterprise-Root-Certificates in Trusted CA store in all of my machines. Thanks...
July 2nd, 2010 6:40pm
Hi, You need to perform the Step 6: Remove CA objects from Active Directory in the KB article to remove the old CA objects. After that, please run gpupdate /force on the machines to check if the old CA certificate can be removed automatically. If it cannot be removed automatically, I am afraid that you need to remove it manually. You may use the certutil -delstore command to remove the certificate. http://technet.microsoft.com/en-us/library/cc732443(WS.10).aspxThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 5th, 2010 4:56am
Thanks Joson, Step 6: Remove CA objects from Active Directory did the trick. After removing those bad certificates from services node in the "Active Directory Sites and Services" or using ADSIEdit, those bad certificates did not get distributed to servers. good news is I did not have to go to each server and remove the bad certificates from local certificates stores, gpupdate /force removed bad certificates from all servers automatically. Thanks again...
July 5th, 2010 6:16am
Glad to hear that and have a nice day. :) Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact email@example.comThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 5th, 2010 7:29am