Decomissioning an AD CS Certificate Authority

Introduction

This document provides work instructions for decommissioning an issuing Certificate Authority (CA) fully, cleanly, and removing any trace of it in Active Directory (AD)

Pre-Requisites

Before touching anything:

• Confirm it is ready for decommission
  • No longer issuing certificates
  • No certificates still needed for authentication and / or decryption
• Confirm the engineer performing this activity has domain administrator and enterprise administrator rights.

Instructions

Stop AD CS and Revoke Issuing CA Certificate

1. Stop Active Directory Certificate Service (ADCS) by typing net stop certsvc in an administrative command prompt.
2. From the Root or Policy CA (depending on hierarchical architecture), revoke the issuing CA’s certificate.
   1. Log onto the Policy CA
   2. Open the Certification Authority Console by typing certsrv.msc in the Run menu
   3. Expand the CA name
   4. Navigate to “Issued Certificates” and locate the issuing CA’s certificate
   5. Right click > All Tasks > Revoke
   6. Specify the reason as CessationOfOperation
3. Then republish the CRL
   1. Open the Certification Authority Console by typing certsrv.msc in the Run menu
   2. Expand the CA name
   3. In the left pane, right click “Revoked Certificates” > All Tasks > Publish

Uninstall AD CS

1. To uninstall the CA Role, follow the steps below:
   1. Open the Server Manager application
   2. Under Roles Summary, select Remove Roles to start the remove roles wizard, and then select Next
   3. Select to clear the Active Directory Certificate Services check box, and then select Next
   4. On the Confirm Removal options page, review the information, and then select Remove
   5. Once the remove roles wizard is finished, restart the server.

Scrub Active Directory

When AD CS is installed on a domain-joined server, several objects are created in the Configuration container in Active Directory, namely:

- certificateAuthority object
    - Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
    - Contains the CA certificate for the CA.
    - Published Authority Information Access (AIA) location.
- crlDistributionPoint object
    - Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
    - Contains the CRL periodically published by the CA.
    - Published CRL Distribution Point (CDP) location.
- certificationAuthority object
    - Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
    - Contains the CA certificate for the CA.
- pKIEnrollmentService object
    - Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
    - Created by the enterprise CA.
    - Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.

When the CA is uninstalled, only the pKIEnrollmentService object is removed.

To Scrub Active directory, go through each of the locations detailed above and delete any entries relating to the CA to be decommissioned

Also delete any certificates that have been published to AD using the following command:

certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com?cACertificate?base?objectclass=certificationAuthority"

Remove from Domain

As this CA was domain-joined, it should be removed from the domain before being physically decomissioned. The steps below detail the process of removing the CA server from the AD domain.

1. Open System Properties by typing sysdm.cpl in the Run menu
2. Click Change
3. Tick the Workgroup tick box
4. In the Workgroup input field, type WORKGROUP
5. Press OK, dismissing any welcome message.
6. Log onto the Domain Controller and open Active Directory Users and Computers by typing dsa.msc in the Run menu
7. Navigate to the OU which held the decomissioned CA server
8. Right Click > Delete the CA Server.

Clean up Domain Controllers

After the CA is uninstalled, the certificates that were issued to domain controllers must be removed.

To remove certificates that were issued to the Windows Server 2003 and newer domain controllers, follow these steps. Do not use this procedure if you are using certificates that are based on version 1 domain controller templates.

1. Select Start, select Run, type cmd, and then press ENTER.

2. At the command prompt on a domain controller, type certutil -dcinfo deleteBad.

   Certutil.exe tries to validate all the DC certificates that are issued to the domain controllers. Certificates that do not validate are removed.

To force application of the group policy, follow these steps:

1. Select Start, select Run, type cmd in the Open box, and then press ENTER.

2. At a command prompt, type the following command, and then press ENTER:

    gpupdate /force