1

We decommissioned our old Exchange 2003 server over a month ago. The server was also our CA(which wasn't widely used). I've removed all traces of this old CA in Sites and Services except for the Certificate Templates. Is it safe to remove these as well?

Our new DCs are all Server 2012, and I would like to standup a new CA, but I want to be sure I have scrubbed all traces of the old one before I do. Should I even be concerned with these old certificate templates, or will the new CA simply overwrite them?

Lee Harrison
  • 486
  • 1
  • 5
  • 19

2 Answers2

2

No harm in deleting them since they're useless anyway. Scrubbing the old server usually means deleting everything related so nothing conflicts.

Nathan C
  • 15,059
  • 4
  • 43
  • 62
2

There are very specific steps to take to properly decommission an Enterprise CA. Please follow the steps outlined in How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows Server 2000.

The basics are:

Step 1: Revoke all active certificates that are issued by the enterprise CA

Step 2: Increase the CRL publication interval

Step 3: Publish a new CRL

Step 4: Deny any pending requests

Step 5: Uninstall Certificate Services from the server

Step 6: Remove CA objects from Active Directory

Step 7: Delete certificates published to the NtAuthCertificates object

Step 8: Delete the CA database

Step 9: Clean up domain controllers

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • The server itself literally died the day after we migrated to exchange 2003. Unfortunately we did not have the option of ramping it down per these instructions. I should have noted that in the questions. Good answer none the less. – Lee Harrison Jun 19 '13 at 16:30