How to remove a certificate from the computer

How to manually remove the Enterprise Windows Certification Authority from a Windows 2000/2003 domain

  • 3 minutes to read

This article was written by Yuval Sinay, Microsoft MVP.

Original product version: Windows Server 2003
Original KB number:   555151

Problem Description

Some organizations have regular backup procedures for the Enterprise Windows Certification Authority. If there is a server problem (software / hardware), you may need to reinstall the Enterprise Windows Certification Authority. Before you can reinstall the Enterprise Windows Certification Authority, you may have to manually delete objects and data that belong to the original Enterprise Windows and are located in the Windows Active Directory.

root cause

Enterprise Windows Certificate Authority stores the configuration settings and data in Windows Active Directory.


A. Fuse:

It is recommended that you back up all nodes that contain Active Directory-related data before and after following this procedure, including:

  • Windows domain controller
  • Exchange server
  • Active Directory Connector
  • Windows Server with Services for Unix
  • ISA Server Enterprise
  • Enterprise Windows Certificate Authority

Use the following procedure as a last resort. This can affect your production environment and possibly restart some nodes / services.

B. Active Directory Clean:


Log into the system with an account that has the following privileges:

  1. Company administrator
  2. Domain administrator
  3. Certification Authority Administrator
  4. Schema Administrator (The server used as the schema master FSMO should be online during the process).

To remove all Certification Services objects from Active Directory:

  1. Start "Active Directory Sites and Services".

  2. Select the menu option "view"and select"services show "node.

  3. Expand the "services"and then expand"Public Key Services".

  4. Select the node "AIA" out.

  5. Find the object in the right pane "certificateAuthority"for your certification authority. Delete the object.

  6. Select the node "CDP" out.

  7. In the right pane look for the container object for the server on which certification services are installed. Delete the container and the objects it contains.

  8. Select the node "Certification bodies" out.

  9. Find the object in the right pane "certificateAuthority"for your certification authority. Delete the object.

  10. Select the node "Registration services" out.

  11. In the right pane, check that the Object pKIEnrollmentService for your certification authority is deleted.

  12. Select the node "Certificate templates" out.

  13. In the right pane, delete all certificate templates.


    Only delete all certificate templates if no other # A0 are installed in the forest. If the templates are accidentally deleted, restore the templates from the backup.

  14. Select the node "Services for public key "and find the object"NTAuthCertificates".

  15. If no other Enterprise or Standalone CAs are installed in the forest, delete the object; otherwise, leave it alone.

  16. use the Active Directory Sites and Services command or "from the Windows Resource Kit to force replication to the other domain controllers in the domain / forest.

Domain controller cleanup

After the certification authority has been removed, the certificates that were issued for all domain controllers must be removed. This can be easily done using the DSSTORE.EXE resource kits:

You can also remove old domain controller certificates using the command:

  1. At the command prompt on a domain controller, type:.

  2. an attempt is made to check all dc certificates that have been issued for the domain controllers. Certificates that cannot be verified will be removed. At this point, you can reinstall Certificate Services. When the installation is complete, the new root certificate will be published in Active Directory. If the domain
    clients refresh their security policy, they'll automatically download the new root certificate into their trusted root stores. o Force the application of the security policy.

  3. At the command prompt, enter.


    If the Enterprise Windows Certification Authority has published computer / user certificates or other types of certificates (web server certificates and so on), it is recommended that you remove the old certificates before reinstalling the Enterprise Windows certificate.

additional Information

Community Solutions Content Disclaimer

Microsoft Corporation and / or its respective suppliers make no claims as to the suitability, reliability, or accuracy of the information and related graphics contained therein. All of this information and related graphics are provided "as is" without warranty of any kind. Microsoft and / or its respective vendors hereby disclaim all warranties and conditions relating to this information and related graphics, including all implied warranties and conditions of MERCHANTABILITY, fitness for a particular purpose, skill, title and non-infringement. You expressly agree that Microsoft and / or its suppliers will in no event be liable for any direct, indirect, criminal, incidental, special, consequential, or any damages, including, without limitation, damages for loss of use, data, or profits that occur arising from or in any way related to the use or inability to use the information and related graphics contained in this Agreement, tort, negligence, strict liability, or otherwise, even if Microsoft or one of its suppliers has been advised of the possibility of damage are.