Trying to help decomission a CA using KB article 889250. The company built a CA for OWA and is no longer using it. The only certs issued were to DCs and the OWA box. The original cert is expired. Just a little confused about a few steps. 1. Is it necessary to publish a CRL if the CA AD objects are being removed?2. Can you just use PKVIEW for Step 7: Delete certificates published to the NtAuthCertificates object?3. There were certs issued to the DCs. Will there be any problems with the DCs after the CA is removed? Many thanks in advance for any assistance.

Hi , When you have the certificate expired with respect to time , why do you want to publish CRL ?CRL is related to revocation and not related with the validity of the certificate. For eg: CRL only contains the list of certificates which are forcefully revocated even before the certificate is expired. in other words unexpired certificates are placed in CRL keeping in mind that you are following below article , under step7 the approrpiate commands are self explanatory such as -viewdelstore . http://support.microsoft.com/kb/889250

The only reason was because the DCs were still showing as non-expired under the Issued. Will there be any issues with the DCs if there is no CRL? Thanks again for your help.