Retire internal Windows root CA

Question

A former colleague created an internal root CA named CA1 with server2008. During migration to a newer OS version a Server CA2 was created and CA1 turned off. Now my problem is, all systems still think they have to ask CA1 to get new certificates. So how do I tell them that CA1 does not exist anymore and they have to ask CA2?

If I open pkiview.msc on one of these servers it lists both servers as certificate authorithies.

score 1 · Accepted Answer · answered Jul 08 '21 at 09:29

You need to decommission old CA from Active Directory using the following TechNet Wiki article: How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects

since your old CA is off, you need to complete only steps: 6, 7 and 9. Other steps are not applicable. After cleaning Active Directory from old CA remnants, make sure it will never be powered on.

score 0 · Answer 2 · answered Jul 19 '21 at 09:23

0

If someone, is looking for the complete Way

You can take a look here

answered Jul 19 '21 at 09:23

djdomi

1,599
3
12
19

Retire internal Windows root CA

2 Answers2