I've taken over the support role in an enterprise environment. My predecessor started to setup a PKI infrastructure and never completed his roll out. What I know I have: VM Offline image of an Enterprise Root CA with only 6 years remaining on Lifespan Online Enterprise CA Errors in PKIVIEW relating to AIA and CRL locations. They point to invalid URLs. As far as we know there was nothing using the PKI infrastructure however I do see certificates that were handed out (most are expired or nearing expiration). What would be the best way to just tear all of this out and start over. Or should I start over and repair all of the problems?

If it easy to invalidate all currently issued certs, I would like to advice to create new PKI from scratch. There are general recommandations: 1) implement Offline Standalone Root CA. This CA will issue certs to SubCAs only. 2) implement Online Enterprise SubCA. This CA will issue certs to end principals. 3) use HTTP only URLs for CDP/AIA extensions. Point extensions to a corporate (that is accessible from both internal and external networks) web servers. Configure to publish (for Enterprise CAs only) CRT/CRL files to a server automatically or manually if CA server haven't access to web server.http://en-us.sysadmins.lv

I have one problem with pushing CDP/AIA to web servers which are public and private. The only servers that exist that meet those roles are Domino servers not running IIS.

this doesn't matter whether this is IIS, Domino or Apache. You just need to make accessible them from the server. For example, you may choose URL form as www.company.com/pki/{filename.crl|crt} and publish files by using various means (via SMB, ftp, etc).http://en-us.sysadmins.lv

Ok.. so I'm following: (http://support.microsoft.com/kb/889250/en-us ) to remove from the domain. And during Step #6 I'm getting an error while trying to re-import the output.ldf file that it makes. It's telling me error in line 4, the last token starts with 'd'. This is kind of confusing, and I don't want to leave traces behind. One other thing. How can I be sure there's nothing left behind from the previous person trying to do this? At one point I saw other CA's listed with our domain name, however they aren't listed anywhere else.

I never used that article for decomission process. I just run pkiview.msc right-click on the top node and select Manage AD Containers. In the dialog box I remove all objects (certificates and CRLs) that are associated with a decomissioned CA. After that I remove CA role from the server. This is quite easy way when you need to remove entire PKI hirarchy from the forest. tip: Enterprise CAs list is stored in Enrollment Services container.http://en-us.sysadmins.lv

So all boxes in PKIVIEW need to be blank? I've got items in NTAuthCert, AIA container, and Cert Authories Container. Is there any way to see if there are any other CA's running on our network other than the ones documented?

> So all boxes in PKIVIEW need to be blank? yes, if you want to remove all PKIs in the forest. > Is there any way to see if there are any other CA's running on our network other than the ones documented? no. CA's you see during certificate enrollment are stored in Enrollment Services container. Ther is no way to find "hidden" CAs.http://en-us.sysadmins.lv