Discussion:
Decommissioning Root CA? Ok.....but a Root CA + Sub Root CA ?
(too old to reply)
m***@gmail.com
2006-11-30 17:33:10 UTC
Permalink
Hi at all,

I read the "Checklist:Decommissioning a certification authority" and
the KB889250 "How to decommission a Windows enterprise certification
authority..."

the problem is that in my domain, i've got a root ca, and a sub root
ca...from which server, i start?
In a virtual environment i started form the sub root ca.
I think that it is ok....but i've got a small problem:

last step domain controller cleanup, the command is : certutil -dcinfo
deletebad

I do it after removing Root CA (the last ca in domain), or 2 times? one
time after decommissioning Sub Root Ca, and one time after
decommissioning CA?

Can someone suggest me a document about this "particular"
decommissioning (Root plus sub Root")?

Thx a lot.

Manolo Rizzuto
Carsten Kinder [MSFT]
2006-12-02 21:55:37 UTC
Permalink
The KB article was updated on 10/30.
There is no "certutil -dcinfo deletebad" command anymore.
Pls check the updated article.
m***@gmail.com
2006-12-03 23:19:59 UTC
Permalink
Post by Carsten Kinder [MSFT]
The KB article was updated on 10/30.
There is no "certutil -dcinfo deletebad" command anymore.
Pls check the updated article.
Ciao C.K,

THX for the reply

I read the kb updated on 10/30....but please, make attention.......if
you read the step n� 8
"
After the CA has been uninstalled, the certificates that have been
issued to all the domain controllers must be removed. To remove
certificates that are issued to domain controllers, use the Dsstore.exe
utility from the Microsoft Windows 2000 Resource Kit.
"

This is a mistake because in MS win2003 rk the old dsstore used here is
supplied by

certutil -dcinfo deleteBad

As written in
http://technet2.microsoft.com/WindowsServer/en/library/a29de265-85b8-48d8-b7b9-046eabb6ce741033.mspx?mfr=true

In fact:
Domain Controller Cleanup
Once the CA has been taken down, the certificates that have been issued
to all the domain controllers need to be removed. This can be done
quite easily using DSSTORE.EXE from the Resource Kit.To remove old
domain controller certificates
1.
At the command prompt on a domain controller, type
certutil -dcinfo deleteBad
2.
Certutil.exe will attempt to validate all the DC certificates issued
to the domain controllers. Certificates that fail to validate will be
removed.
So i think that the kb must be re-updated :)

What do you think about a Root Ca and Sub Root CA ? I dismiss the sub
using the procedure, and the root in the same way?
Have u got other white papers?
Ciao!
Manolo
Carsten Kinder [MSFT]
2006-12-04 18:34:08 UTC
Permalink
Post by m***@gmail.com
This is a mistake because in MS win2003 rk the old dsstore used here is
supplied by
certutil -dcinfo deleteBad
Good catch, I am going to submit a change request for the article
Post by m***@gmail.com
What do you think about a Root Ca and Sub Root CA ? I dismiss the sub
using the procedure, and the root in the same way?
Since the Root CA has not issued certificates to the domain controllers you
don't have to perform a certutil -dcinfo deleteBad after decommissioning the
root.
Post by m***@gmail.com
Have u got other white papers?
Not for this topic ... Sorry
--
Carsten Kinder
Microsoft Services

This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...