Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remove trusted Root Certificate Authorities from AD?

Status
Not open for further replies.
ADB100

ADB100

Technical User
Joined
Mar 25, 2003
Messages
2,399
Location
GB
I have been testing with a Windows 2000 CA in an established AD. Everything has gone fine but I have now removed the CA but the Trusted Root Certificate it published to AD is still there and is 'pushed' down to the clients when they boot up and apply the GPO. I have tried manually removing the certificate on clients and on a DC but each time the client is reloaded the certificate re-appears. I have since built another CA for testing and this has published another Certificate to AD that is 'pushed' down to the clients but the original one still remains.
Is there any way to remove this? I have searched and searched on MS's website but cannot find any pointers.

Thanks

Andy
 
Sort by date Sort by votes
The information you are pulling down is published to the AD when you install an enterprise CA. Some of this is in the domain nc, and some more in the config container.

certutil is the way to go!


You can remove existing Windows 2000 Certificate Server public and private key pairs by using the Certutil.exe utility. To do so, first list the currently installed keys by typing the following line at a command prompt:

"certutil -key" (without the quotation marks)


The container names of key pairs for any previously installed CA are listed under the "Microsoft Base Cryptographic Provider v1.0" section. The container name should be the same as the name originally given to the Certification Authority. After you have identified the name of the container, you can delete it by using the following command:

&quot;certutil -delkey <CA_name>&quot; (without the quotation marks)

Hope this helps!
 
Upvote 0 Downvote
Thanks, I will try tomorrow when I get back.

Andy
 
Upvote 0 Downvote
The certutil didn't work. I am trying to remove a trusted Root Certificate Authority from AD that gets pushed down to the clients at logon/boot up. As I said previously I had a Test CA installed a while back that was a CA for my domain, I have since wiped this server and built a new CA. The Certificate the Test CA is somehow still in AD as well as the new one. I can manually remove the Trusted Root Certificate using Internet Explorer, Tools, Options, Content, Certificates, Trusted Root Certificate Authorities, Remove. But, after a re-boot it re-appears, I assume pushed down from AD when the machine is re-booted/logon. I have tried ADSI Edit from the W2K Resource Kit Tools but can't seem to find anything....

Any more help appreciated.

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
1K
suncit
suncit
DrB0b
  • Locked
  • Question Question
Hybrid on prem AD with Azure AD
Replies
2
Views
599
DrB0b
DrB0b
goombawaho
  • Locked
  • Question Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
DTGMI
  • Locked
  • Question Question
WIN 10 Pro PC &amp; Adding back to our Network
Replies
0
Views
776
DTGMI
DTGMI
mangentle
  • Locked
  • Question Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
1K
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top