{"id":202,"date":"2018-03-02T19:51:25","date_gmt":"2018-03-03T01:51:25","guid":{"rendered":"http:\/\/zewwy.ca\/?p=202"},"modified":"2018-07-20T14:17:23","modified_gmt":"2018-07-20T19:17:23","slug":"remove-existing-enterprise-root-ca-part-2","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2018\/03\/02\/remove-existing-enterprise-root-ca-part-2\/","title":{"rendered":"Remove Existing Enterprise Root CA (Part 2)"},"content":{"rendered":"

<\/span>Intro<\/strong><\/span><\/h1>\n

Continuing on from my source blog post<\/a>. In this case he goes on to install and configure the role to be a subordinate enterprise CA. But what do you do if you already deployed an Enterprise Root CA? I’m going to go off a hunch and that something gets applied into AD somewhere to present this information to domain clients. I found this nice article from MS directly<\/a> on the directions to take, it stated for Server 2012, so I hope the procedure on this hasn’t changed much in 2016.<\/p>\n

*NOTE* All steps that state need to be done to AD objects, those commands are run as a Domain Admin, or Enterprise Admin directly logged onto those servers. Most other commands or steps will be done via a client system MMC Snap-in, or logged directly into the CA server.<\/p>\n

<\/span>Remove Existing Enterprise Root CA<\/strong><\/span><\/h1>\n

<\/span>Revoke Existing Certificates<\/strong><\/span><\/h2>\n

Step 1: Revoke all active certificates that are issued by the enterprise CA<\/em><\/strong><\/p>\n

    \n
  1. Click <\/em>Start<\/strong><\/em>, point to<\/em>
    \nAdministrative Tools<\/strong><\/em>, and then click <\/em>Certification Authority<\/strong><\/em>.<\/em><\/li>\n
  2. Expand your CA, and then click the <\/em>Issued Certificates<\/strong><\/em> folder.<\/em><\/li>\n
  3. In the right pane, click one of the issued certificates, and then press CTRL+A to select all issued certificates.<\/em><\/li>\n
  4. Right-click the selected certificates, click <\/em>All Tasks,<\/strong><\/em> and then click <\/em>Revoke Certificate<\/strong><\/em>.<\/em><\/li>\n
  5. In the <\/em>Certificate Revocation<\/strong><\/em> dialog box, click to select <\/em>Cease of Operation<\/strong><\/em> as the reason for revocation, and then click <\/em>OK<\/strong><\/em>.<\/em><\/li>\n<\/ol>\n

    Simple enough…<\/p>\n

    \"\"<\/a><\/p>\n

     <\/p>\n

    \"\"<\/a><\/p>\n

    Increase the CRL interval<\/strong><\/p>\n

    Step 2: Increase the CRL publication interval<\/em><\/strong><\/p>\n

      \n
    1. In the Certification Authority Microsoft Management Console (MMC) snap-in, right-click the <\/em>Revoked Certificates<\/strong><\/em> folder, and then click <\/em>Properties<\/strong><\/em>.<\/em><\/li>\n
    2. In the <\/em>CRL Publication Interval<\/strong><\/em> box, type a suitably long value, and then click <\/em>OK<\/strong><\/em>.<\/em><\/li>\n<\/ol>\n

      Note The lifetime of the Certificate Revocation List (CRL) should be longer than the lifetime that remains for certificates that have been revoked.<\/em><\/p>\n

      Easy enough, done and done.<\/p>\n

      \"\"<\/a><\/p>\n

      Step 3: Publish a new CRL<\/em><\/strong><\/p>\n

        \n
      1. In the Certification Authority MMC snap-in, right-click the<\/em>
        \nRevoked Certificates<\/strong><\/em> folder.<\/em><\/li>\n
      2. Click <\/em>All Tasks<\/strong><\/em>, and then click<\/em>
        \nPublish<\/strong><\/em>.<\/em><\/li>\n
      3. In the <\/em>Publish CRL<\/strong><\/em> dialog box, click<\/em>
        \nNew CRL<\/strong><\/em>, and then click <\/em>OK<\/strong><\/em>.<\/em><\/li>\n<\/ol>\n

        Again easy, done.<\/p>\n

        <\/span>Deny Pending Requests<\/span><\/h3>\n

        *DEFAULT, generally Not required.<\/p>\n

        Step 4: Deny any pending requests<\/em><\/strong><\/p>\n

        By default, an enterprise CA does not store certificate requests. However, an administrator can change this default behavior. To deny any pending certificate requests, follow these steps:<\/em><\/p>\n

          \n
        1. In the Certification Authority MMC snap-in, click the Pending Requests folder.<\/em><\/li>\n
        2. In the right pane, click one of the pending requests, and then press CTRL+A to select all pending certificates.<\/em><\/li>\n
        3. Right-click the selected requests, click <\/em>All Tasks<\/strong><\/em>, and then click <\/em>Deny Request<\/strong><\/em>.<\/em><\/li>\n<\/ol>\n

          Not the case for me.<\/p>\n

          <\/span>Uninstall Certificate Services<\/strong><\/span><\/h2>\n

          Step 5: Uninstall Certificate Services from the server<\/em><\/strong><\/p>\n

            \n
          1. To stop Certificate Services, click <\/em>Start<\/strong><\/em>, click <\/em>Run<\/strong><\/em>, type cmd, and then click <\/em>OK<\/strong><\/em>.<\/em><\/li>\n
          2. At the command prompt, type certutil -shutdown, and then press Enter.<\/em><\/li>\n
          3. At the command prompt, type<\/em>
            \ncertutil -key, and then press Enter. This command will display the names of all the installed cryptographic service providers (CSP) and the key stores that are associated with each provider. Listed among the listed key stores will be the name of your CA. The name will be listed several times, as shown in the following example:<\/em><\/li>\n<\/ol>\n

            (1)Microsoft Base Cryptographic Provider v1.0:<\/em>
            \n <\/em>1a3b2f44-2540-408b-8867-51bd6b6ed413<\/em>
            \n <\/em>MS IIS DCOM ClientSYSTEMS-1-5-18<\/em>
            \n <\/em>MS IIS DCOM Server<\/em>
            \n <\/em>Windows2000 Enterprise Root CA<\/em>
            \n <\/em>MS IIS DCOM ClientAdministratorS-1-5-21-436374069-839522115-1060284298-500<\/em><\/p>\n

              \n
            1. Delete the private key that is associated with the CA. To do this, at a command prompt, type the following command, and then press Enter:<\/em><\/li>\n<\/ol>\n

              certutil -delkey <\/em>CertificateAuthorityName<\/strong><\/em><\/p>\n

              Note If your CA name contains spaces, enclose the name in quotation marks. <\/em><\/p>\n

              In this example, the certificate authority name is “Windows2000 Enterprise Root CA.” Therefore, the command line in this example is as follows:<\/em><\/p>\n

              certutil -delkey “Windows2000 Enterprise Root CA”<\/em><\/p>\n

              * OK, this is where things got weird for me. For some reason I wasn’t getting back the same type of results as the guide, instead I got this:<\/p>\n

              C:\\ProgramData\\Microsoft\\Crypto\\RSA>certutil \u2013key
              \nMicrosoft Strong Cryptographic Provider:
              \nTSSecKeySet1
              \nf686aace6942fb7f4566yh1212eef4a4_ae5889t-54c3-4b6f-8b60-f9f8471c0525
              \nRSA
              \nAT_KEYEXCHANGE<\/p>\n

              CertUtil: -key command completed successfully.<\/p>\n

              And any attempt to delete the key based on the known CA name just failed. I asked about this<\/a> in TechNet under the security section, and was told basically what I figured and that the key either didn’t exist or was corrupted. So basically continue on with the steps. It was later answered by Mark Cooper.<\/p>\n

              <\/span>Locating the CA Master Key<\/strong><\/span><\/h2>\n

              This one again got answered by Mark Cooper, include \u2013csp ksp (keys are located under: %allusersprofile%\\Microsoft\\Crypto\\Keys)<\/p>\n

              \"\"<\/a><\/p>\n

              <\/span>Deleting the CA Master Key<\/strong><\/span><\/h2>\n

              From all the research I’ve done, it seems people are adamant that you delete the key before you remove the certs, why exactly I’m not sure…(From my testing if you deleted the certificate via certutil, it comes right back when restarting certsvc. It must be rebuilt from the registry?)<\/p>\n

              So: certutil \u2013csp ksp \u2013delkey <key><\/p>\n

              \"\"<\/a><\/p>\n

              Checking the keys directory show empty. Good stuff.<\/p>\n

              <\/span>Viewing the Certificate store<\/strong><\/span><\/h2>\n

              Certutil \u2013store my<\/p>\n

              \"\"<\/a><\/p>\n

              This made me start to wonder where the actual certificate files were stored, a google away<\/a> and it turns out to be in the registry? Lol (HKLM\\System\\Microsoft\\SystemCertificates)<\/p>\n

              \"\"<\/a><\/p>\n

              You can see they key container name matches the certificate hash.<\/div>\n
              <\/div>\n

              Nothing more than just a string of obfuscated code (much like opening up a CSR), so the only way to interact with them is using the Microsoft CryptoAPI (CertUtil), or the Snap-in.<\/p>\n

              <\/span>Deleting the CA Certificate<\/strong><\/span><\/h2>\n

              Certutil \u2013delstore my <Serial><\/p>\n

              Reopening regedit, and the cert is gone.<\/p>\n

              Delete Trusted Root CA Cert<\/strong><\/p>\n

              Certutil \u2013store ca
              \nCertutil \u2013delstore ca <serial><\/p>\n

              \"\"<\/a><\/p>\n

              So moving on\u2026*<\/p>\n

                \n
              1. List the key stores again to verify that the private key for your CA was deleted.<\/em>
                \nCheck<\/li>\n
              2. After you delete the private key for your CA, uninstall Certificate Services. To do this, follow these steps, depending on the version of Windows Server that you are running.
                \n<\/em><\/p>\n

                Uninstall-AdcsCertificationAuthority<\/em><\/p>\n

                If the remaining role services, such as the Online Responder service, were configured to use data from the uninstalled CA, you must reconfigure these services to support a different CA. After a CA is uninstalled, the following information is left on the server:<\/em><\/li>\n

              3. \n