Hi, We have a scenario where a customer has installed 3 root CA in one domain and we are now going to remove this and install a 2-tier system. :) None of the CA is in production, they have just tested it, but have published several 1000 certificates but not in use by any application. Root CA 1: This is a windows 2003 standard edition with enterprise CA, here the customer has just turned off the CA service. Root CA 2: Windows 2008 R2 Enterprise with CA Root Enterprise, here the service is running and several certificates are published Root CA 3: Windows 2008 R2 Enterprise with CA Root Enterprise, here the service is running and several certificates are published So :) my questions is what would be the best way to clean this up, I have been looking at the document http://support.microsoft.com/kb/889250 but is this the same procedures for Windows 2008 R2 ? If it is valid for Windows 2008 R2, do i need to follow step 1-9 ? Like i said, all the certificates are not used, so we do not need to keep anything alive. Another question, when we revoke a certificate from a user/machine, will this certificate be automatically removed for the users cerrtificate holder... I mean can I still see it with mmc or is it gone ? Thanks for reply. Ole

Yes, you can use the same procedures and if you are sure none of the old certificates are needed, you can ignore several of the coexistence/preservation steps... No, if you revoke a cert, it will not be removed from the personal certificate store on the client, but the serial number of the revoked certificate will be added to the CRL. Depening on the application used, it may or may not check the CRL. This may help for "clean up": http://msdn.microsoft.com/en-us/library/e78byta0(v=vs.80).aspx and I am sure there are other scripts/tools to achieve the same... Cheers JJ Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk