We are working to remove an enterprise CA that was previously used to test OWA using KB889250. The certificate has been long expired. However, it appears there are two valid certificates issued to the DCs. Given this scenerio is it necessary to maintain a CRL distribution point? Can the certificates be revoked, uninstall CA, remove all AD related objects and remove certificates from the DCs? Many thanks in advance for any assistance.

there are two ways to solve this task: 1) remove all issued certificates from clients (such DCs) and completely remove CA server (AD CS role). This will be fine if CA haven't issued so many certificates. 2) revoke all issued certificates, publish new CRL and remove AD CS role from CA server.http://www.sysadmins.lv

Thanks for the reply. The only clients that have a certificate are the ones listed under Issued Certificates, is that correct? When you say "remove AD CS role from CA server" do you mean uninstall through Add/Remove Programs/Windows Componets? Does anything have to be manually removed? Thanks again,

> The only clients that have a certificate are the ones listed under Issued Certificates, is that correct? yes. > Does anything have to be manually removed? you may have to manually delete CA objects from AD (configuration partition), such AIA, CDP, NTAuthCertificates, Certification Authorities containers. For detailed info please refer to the mentioned KB889250 article.http://www.sysadmins.lv

Thanks again. For the AIA and CDP can I just delete the references under Sites and services? Also, in a test enviroment we had trouble with the NTAuthCertificates. The command on the KB would not work. If we use PKView will that remove the NTAuthCertificates related objects? Thanks,

sure. Using pkiview.msc you can review all PKI-related containers in AD (except Certificate Templates) and remove unused certificates/CRLs.http://www.sysadmins.lv

Thanks so much for working with me on this. So, we just need to: revoke, uninstall, delete folders under Public Key Services in Sites and Services, run pkview and delete anything remaining, remove certificates from servers. Is that right? Many thanks again for all your help.

if you *completely* want to remove CA, you don't need to revoke certificates. This is because when you remove your CA from Trusted Root CAs container, nobody will trust your CRLs. Just remove AD CS role and delete certificates/CRLs from AD using pkiview.msc.http://www.sysadmins.lv

Thank you. I do wnat it completely removed. Just one last question. Will pkiview find and let us delete objects after the Enterprise CA has been uninstalled?

yes. While pkiview.msc is available (as far as I understand you have Windows Server 2003 CA and pkiview.msc is shipped with reskit tools) you at any time can run it and manage AD containers.http://www.sysadmins.lv

Thanks again for all your help yesterday. After everything is removed using pkiview do we delete the Public Key Services folder listed in Sites and Services? Thanks again,

no. You MUST NOT delete this container. Just CA entries within this container and subcontainers.http://www.sysadmins.lv

Thank you for all your help.