Windows Server

Eric Maino · Guest

I was wondering if it is possible to remove an enterprise certificate
authority. I have a virtual environment I am testing a scenario with and it
appears that in this scenario there are 3 enterprise level CAs of only which
1 is valid. The other two existed on a server that is no longer available. I
would like to remove these from AD if possible so that when an admin
retargets the CA he/she will only see the valid CA rather then two invalid
ones and a valid one.

Phillip Renouf · Guest

If there are 3 CAs in the environment you should make sure that this wasn't
setup to be a 3 tier PKI infrastructure. In that 3 tier setup there is only
one CA actually online, the others are shut off unless they are required. The
one online is an issuing CA and the two others are a CA to authorize issuing
CAs and the main CA that is in control of the entire PKI infrastructure (and
authorizes the intermediate CAs).

That may explain why the other two servers aren't available or seem to be
gone.

Phil

"Eric Maino" wrote:

Eric Maino · Guest

Phillip

Unfortunately this is not the situation. The other two CAs are officially no
longer valid CAs in the enterprise.

Eric

"Phillip Renouf" wrote:

Phillip Renouf · Guest

After thinking about my response for another few minutes that may not explain
it since if the 3 tier architecture was done properly the two offline CAs
should be stand-alone CAs and not enterprise CAs. I also just noticed that
you mentioned that two of the CAs were on one server?

Phil

"Eric Maino" wrote:

	Windows Server Forum Index -> Active Directory	All times are GMT
Page 1 of 1