Manually remove old CA references in Active Directory

Microsoft Security Solutions

directory-icon

Summary

When a CA server is uninstalled or crashes beyond recovery some objects are left in Active Directory. It’s good practice to remove these obsolete objects.

Background

When you install a version of Certificate Authority that is Active Directory-integrated (i.e. Enterprise Root or Enterprise Subordinate) the following 6 objects are created/modified in the Active Directory database:

Name: <CA Common Name>
Type: certificateAuthority
LDAP Path: CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=DC=example,DC=com
Used for: Contains CA certificates that clients can fetch when validating a certificates chain. Certificates can point to this location via the Authority Information Access (AIA) certificate extension.

Name: <CA Common Name>
Type: crlDistributionPoint
LDAP Path: CN=<CAServerName>,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=DC=example,DC=com
Used for: Contains CRLs (base and delta) that CAs has published in the AD. Certificates can point to this location via the CRL Distribution Point (CDP) certificate extension.

Name: <Root CA Common…

View original post 706 more words

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s