0

I have a private domain to which I later added AD CS, NPS, RRAS and setup SSTP VPN access. I used AD CS to create a certificate for the SSTP connection and DynDNS to get me in from outside. Everything has worked fine for years. I would now like to decommission that machine and I have researched the steps I will need to take to remove the above roles properly.

When looking at the certificates issued by the AD CS server, I see Computer (Machine), Basic EFS, Kerberos Auth., Domain Controller Auth. and Directory Email Replication certificates. These are besides my remote computer authentication (Web Server) certificate. Since I am still a noob (in over my head?), would there be a problem with my private domain if/when I revoke all these certificates prior to decommissioning?

Thanks in advance.

Kevin
  • 1
  • What is the point of revoking the certificates if the CRL isn't available? – Greg Askew Feb 18 '20 at 16:31
  • @Greg Askew ... Thank you for that reminder. So then, can you think of any problems, due to those certificates being issued, if I just decommission the AD CS server? – Kevin Feb 18 '20 at 18:06
  • Just a note, when decomming, migrating, or replacing AD CS servers in the past, I ensure that the CRL Distribution Point is still available - easy with a DNS alias and a small-footprint webserver. To that end, you could probably check the IIS logs for the current CDP to see if there have been any hits, that may give you a clue as to which clients are still hitting services that are secured by the certificates issued by the CA – Semicolon Feb 18 '20 at 18:15

0 Answers0