手工清除WINDOWS AD域内的CA（ Certificate Authority）

域控上的日志不断报错，源于美国一台我到公司之前的CA非法撤消，

事隔多年，于我，只好手工清除。

~~~~

参考文档：

http://retrohack.com/cleaning-up-after-a-failed-2008-certificate-authority/

inding myself with a 2008 AD integrated certificate authority gone bork, I wanted to get it completely out of AD. The server was long since dead, so gracefully uninstalling Certificate Services was not an option. It’s presence wasn’t hurting anything, but if you know me at all, you know I like a clean AD.

The main steps below were taken from http://support.microsoft.com/kb/889250, but I have changed them to match up with what I did for Windows 2008. The biggest difference was that I had to go into ADSIEDIT to do most of this, instead of AD Sites & Services.

Determine the CACommonName of the CA.

If you do not remember this, create an msc, add the Certificates snap-in for your local computer, and browse down the tree to Trusted Root Certification Authorities. Expand the Certificates, and the browse through until you find the name of the failed CA.

Then follow these steps, being careful NOT to delete other PKI objects such as those from TMG or other CAs in your environment.

1. Click Start, Run, then type adsiedit.msc and click OK.
2. Right-click ADSI Edit, select connect to, and choose Configuration from the drop down menu for "Select a well known naming context."
3. Expand Services, expand Public Key Services, and then click the AIA folder.
4. In the right pane, right-click the CertificationAuthority object for your CA, click Delete, and then click Yes.
5. In the left pane, click the CDPfolder.
6. In the right pane, locate the container object for the server where Certificate Services is installed. Right-click the container, click Delete, and then click Yes two times.
7. In the left pane, click the Certification Authorities node.
8. In the right pane, right-click the CertificationAuthority object for your CA, click Delete, and then click Yes.
9. In the left pane, click the Enrollment Services node.
10. In the right pane, verify that the pKIEnrollmentService object for your CA was removed when Certificate Services was uninstalled. If the object is not deleted, right-click the object, click Delete, and then click Yes.
11. At the root of CN=Public Key Services, find the object CN=NTAuthCertificates and access its properties. There is a multi-valued string cACertificate. Remove the entry that corresponds to your dead CA. Hopefully, you will only have one, as this is encoded. If you see multiple, you can try to figure out which is the correct one by picking it out chronologically, or by converting the encoding to ASCII characters, or perhaps you could consult the Tarot, or I Ching. Sorry, I don’t have much better advise to give on this one.

Then log on to a domain controller, open an administrative cmd prompt and run this command.    certutil -dcinfo deleteBad [enter]

Certutil.exe tries to validate all the DC certificates that are issued to the domain controllers. Certificates that do not validate are removed.

Finally, go into your default domain GPO, Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies and remove the root certificate from the list of Trusted Root Certificate Authorities. Give your clients time to refresh group policy, and you’re all set.

But since you really ought to wait for group policy to propagate before you make any other changes, you should take a few moments to yourself and resist the temptation to make more changes. Trust me, this is for your own good. Tell your boss I said so. As I was finishing this up, I overheard the word "Willoughby" and was reminded of one of my favourite episodes of The Twilight Zone. The time it takes you to enjoy the show below should be just enough time to wait for GPO propagation to complete before you do anything else.