Why manually delete a PKI?
When you remove a pki since the wizards Windows will scavenge records in Active Directory. However if the server is reinstalled or the VM deleted unless the certification authority role is deleted beforehand, these records remain present in the Active Directory directory. It is therefore necessary to carry out the cleaning of it before any new installation of an enterprise certification authority.
This article details the different steps for cleaning of the Active Directory.
Cleaning Active Directory
If the server with the certificate authority role is member of the domain, the following objects are added in the directory:
CertificateAuthority object, it contain CA Certificate for the CA and Published Authority Information Access (AIA) location.
- present in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
crlDistributionPoint object, it contain the CRL periodically published by the CA and published CRL Distribution Point (CDP) location
- Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
certificationAuthority object, it contain the CA certificate for the CA.
- Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
pKIEnrollmentService object, it’s created by the enterprise CA and Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.
- Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Delete certificates published , after you remove the CA objects it is necessary to remove the CA certificates.These are published to the NtAuthCertificates object. Run one of the commands below to perform the operation. This action requires Enterprise Administrator permissions .
- certutil -viewdelstore “ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com?cACertificate?base?objectclass=certificationAuthority”.
- certutil -viewdelstore “ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com?cACertificate?base?objectclass=pKIEnrollmentService”
This procedure details how to clean a database in case of removal of the CA without clean uninstall (removal of the server/VM). However, it is recommended to carry out a clean deletion from the Server Manager console.
It may be necessary to verify the removal of AD objects and this database in %systemroot%\System32\Certlog (On the CA server).