Delete Unused Objects from Active Directory Containers

There may be times when you need to uninstall a certification authority (CA). However, clients will not be able to send requests to this CA and some applications that depend on your public key infrastructure (PKI) may not function properly after a CA that is needed to verify the validity and revocation status of a certificate has been uninstalled.

If you are permanently decommissioning the CA before its expected expiration date, then the CA certificate should be revoked from its parent CA for a certificate revocation reason of “Cease of operation.” If the CA is a self-signed root CA, then all certificates that have not expired should be revoked and a certificate revocation list (CRL) should be generated with the same reason. This will indicate that the certificates are no longer valid because the CA has been decommissioned.

When uninstalling an enterprise CA, it is important that it be uninstalled properly to ensure that its CA enrollment object is removed from Active Directory Domain Services (AD DS). Failure to do so may result in AD DS clients continuing to attempt to enroll against that CA. If an enterprise CA cannot be uninstalled normally, the Enterprise PKI snap-in can be used to manually remove the CA objects from AD DS.

noteNote
You should back up the entire server before uninstalling the CA.

 

Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

To remove unused certificate-related objects from Active Directory containers

  1. Open the Enterprise PKI snap-in.
  2. In the console tree, right-click Enterprise PKI, and then click Manage AD Containers.
  3. Select one of the containers, and select one or more objects within that container.
  4. Click View to examine the contents of each object if you are uncertain whether any of the selected objects pertain to the CA that you are uninstalling.
  5. Click Remove.
  6. Select a different container, and repeat steps 3 through 5 until you have removed all objects that you no longer need.

Add Published Certificates to Active Directory Containers

All certification authority (CA) certificates in the Active Directory domain of the current forest are stored in the NTAuthCertificates container. Enterprise CA certificates are added automatically when a new CA is installed.

If a CA certificate is not added automatically when the new CA is created, such as a stand-alone CA created by a user who is not a member of the Enterprise Admins group, the CA certificate can still be added manually to the NTAuthCertificates container. This process can also be used to add the CA certificate of a non-Microsoft CA that has been used to issue smart card logon or domain controller certificates. By publishing these CA certificates to the Enterprise NTAuth store, the administrator indicates that the CA is trusted to issue certificates of these types.

Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

To add a certificate to the NTAuthCertificates container by using the Windows interface

  1. Export the certificate of the CA to a .cer file that supports either the Distinguished Encoding Rules (DER)-encoded binary format or the base-64 encoded X.509 format.
  2. Open the Enterprise PKI snap-in, right-click Enterprise PKI in the console tree, and click Manage AD Containers.
  3. Click the NTAuthCertificates container.
  4. Click Add, and browse to the .cer file for the certificate that you want to add. Click OK.

You can also add a certificate to the NTAuthCertificates container by using the Certutil command-line tool.

To add a certificate to the NTAuthCertificates container by using a command line

  1. Export the certificate of the CA to a .cer file that supports either the DER-encoded binary format or the base-64 encoded X.509 format.
  2. Open a command prompt window, type the following command, and press ENTER:

    certutil -dspublish -f filename NTAuthCA

Managing Active Directory Containers with Enterprise PKI

Enterprise certification authorities (CAs) publish certificates, certificate revocation lists (CRLs), and other data to Active Directory containers. The Enterprise PKI snap-in can be used to browse and manage objects in those containers.

The Active Directory containers that can be managed with the Enterprise PKI snap-in are:

  • NTAuthCertificates. Contains all of the CA certificates in the current forest. Certificates are added automatically when a new CA is installed by a member of the Enterprise Admins group. Certificates can also be added manually by using the Manage AD Containers dialog box.
  • AIA. Contains CA certificates that can be retrieved by clients using the authority information access (AIA) certificate extension to build a valid certificate chain and to retrieve any cross-certificates issued by the CA.
  • CDP. Contains all base CRLs and delta CRLs published in the forest.
  • KRA. Contains the certificates for key recovery agents for the forest. Key recovery agents must be configured to support key archival and recovery. Key recovery agent certificates can be added to this container automatically by enrolling with an enterprise CA. The key recovery agent certificates cannot be added manually by using the Manage AD Containers dialog box.
  • Certification Authorities. Contains the certificates for trusted root CAs in the forest. Root CA certificates are added automatically when a member of Enterprise Admins sets up an enterprise root CA or stand-alone root CA that is joined to the domain. Root CA certificates can also be added manually from the command prompt but not through the Manage AD Containers dialog box.
  • Enrollment Services. Contains the certificates for enterprise CAs that are available to issue certificates to users, computers, or services in the forest. Enterprise CA certificates can only be added to this container by a member of Enterprise Admins who installs an enterprise CA. The certificates cannot be added manually by using the Manage AD Containers dialog box.

Manage Certification Authorities with Enterprise PKI

Certification authorities (CAs) are listed by name and by their location within a public key infrastructure (PKI), with root CAs located at the top of the hierarchy and subordinate CAs below. CAs can be listed either in the console tree or details pane, depending on whether the PKI or a CA is selected in the console tree. When a CA is double-clicked in the details pane, it will be expanded and selected in the console tree.

CA status information will be listed as OK, Warning, Error, or Unable to download. These status messages indicate whether there is a problem with some aspect of the CA, either the CA certificate, the CRL distribution point locations, or the authority information access locations, or that status information was not obtained. For specific error status messages and their meaning, see Enterprise PKI Status Codes.

If a problem or warning only applies to a subordinate CA, then the error indicator will only appear on the icon for that CA.

When you right-click a CA or click the Action menu, two unique options appear:

  • Manage CA, which opens the Certification Authority snap-in. If the user has the appropriate permissions, the Certification Authority snap-in can then be used to perform various management tasks for the CA.
  • Refresh, which initiates an update to all of the status information available for that CA.

Configure the Enterprise PKI Snap-In

The left pane, or console tree, of the Enterprise PKI snap-in includes a tree view of the public key infrastructures (PKIs) and enterprise certification authorities (CAs) in an organization.

If you select a specific PKI in the console tree, the details pane displays the status of the entire PKI: OK, if everything is properly configured and functioning correctly, or Error, if there are problems that require attention.

If you select a specific CA in the console tree, additional information that can be used to identify the source of an Error condition is displayed, including whether the following are available, expiring, or unavailable:

  • CA certificate
  • Authority information access locations
  • Certificate revocation list (CRL) distribution points
  • Delta CRL distribution points

By right-clicking the name of the PKI in the console tree, you can configure when you want to display alerts for the following components of the CAs in that hierarchy.

Component Description
Set certificate status to Expiring when expiring in Number of days before a CA certificate expires that a warning will appear
Set CRL status to Expiring when expiring in Number of hours or days before a CRL expires that a warning will appear
Set Delta CRL status to Expiring when expiring in Number of hours or days before a delta CRL expires that a warning will appear

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To modify warning options for a PKI

  1. Open the Enterprise PKI snap-in.
  2. In the console tree, right-click Enterprise PKI.
  3. Click Options.
  4. Review and modify the days or hours listed for the CA certificate, CRLs, and delta CRLs.
  5. Click OK.
  6. On the Action menu, click Refresh.

Install the Enterprise PKI Console

he Enterprise PKI snap-in does not appear in the list of default Microsoft Management Console (MMC) snap-ins. The Enterprise PKI snap-in becomes available in the Add/Remove snap-ins list only after you have installed one or more Active Directory Certificate Services (AD CS) role services on the computer or you have installed the AD CS Remote Server Administration Tools from Server Manager.

You must be an administrator on the server to complete this procedure.

To install the AD CS Remote Server Administration Tools

  1. In Server Manager, click Add Features to start the Add Features Wizard.
  2. In the Select Features window, click the plus sign that appears to the left of the Remote Server Administration Tools check box, and then click the plus sign to the left of the Role Administration Tools check box.
  3. Select the Active Directory Certificate Services check box, click Next, and then click Install.
  4. When installation is complete, click Close.

If the computer you want to perform remote administration tasks from is running Windows Vista, you can obtain the Remote Server Administration Tools Pack from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=89361).

After you have installed the AD CS Remote Server Administration Tools or installed one or more AD CS role services, you can proceed with the following procedure to install the Enterprise PKI snap-in.

You must be a local administrator to complete this procedure.

To install the Enterprise PKI snap-in

  1. Click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove Snap-in.
  3. Add the Enterprise PKI snap-in to the list on the right.
  4. Click OK.