Removing Domain Controller Certificates

Applies To: Windows Server 2003 with SP1

Occasionally, it may be necessary to remove or delete unwanted certificates locally in a certificate store, or remotely in Active Directory, to either correct mistakes or to perform periodic system cleanup. The following section describes the procedures to perform these activities. However, removing a certificate from a certificate store or an Active Directory object is not specific to domain controller certificates. The procedures are the same for any user or computer certificate type.

Removing Certificates from a Local Certificate Store

It may be necessary to remove certificates locally from a domain controller to ensure that only valid certificates are used by the domain controller or other applications. Expired or revoked certificates may be removed from a domain controller since the purpose of domain controller certificates is to encrypt replication traffic. Once replication has been performed, the replication data is discarded and there are no requirements to decrypt this information again. Therefore, such certificates may be safely deleted from the local machine profile.

To remove certificates from a dedicated domain controller, perform the following steps.

  1. While logged on as a member of the local Administrators group, start the Microsoft Management console.

  2. Add the Certificates MMC Snap-In.

  3. Select Computer Account when prompted to select an account to manage.

  4. In the Certificates MMC Snap-In, navigate to Personal in the left pane.

  5. In the right pane, determine the domain controller certificate(s) by the template name as shown in the Certificate Templates column or select the certificate(s) by their intended purpose.

  6. Delete the certificate(s) by selecting Delete on the Action menu.

  7. Close the MMC Snap-In and log off.

Removing Certificates from an Active Directory Computer Object

In some cases, it may be necessary to remove certificates that are stored in an Active Directory object explicitly. Usually, this is the case if certificates have been enrolled manually. The auto-enrollment functionality in Windows XP and Windows Server 2003 can remove certificates from Active Directory objects when it determines that certificates in the Active Directory object have expired or are revoked. Also, the CA removes expired certificates when it publishes a new certificate in an object in Active Directory. For more information about the functionality performed by auto-enrollment, see the Certificate Autoenrollment in Windows Server 2003 white paper at

https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

To manually remove a certificate from a domain controller object in Active Directory, perform the following steps.

  1. Log on as a domain or enterprise administrator to a computer in your domain where the Windows Server 2003 version of certutil is installed and available.

    Note

    The following steps work only with the Windows Server 2003 version of certutil.exe. Thus, if you perform the following steps from a Windows 2000 domain controller, you must add a prefix to the certutil command. The prefix is the path you have copied the certutil command to. In this white paper, the %HOMEDRIVE%\W2K3AdmPak path is used.

  2. At a command-line prompt, run the following command and press Enter.

    certutil -viewdelstore "ldap:///cn=<dcname>,ou=domain controllers,<domainname>?usercertificate"
    

    The command contains the distinguished name of the object and specifies the LDAP attribute explicitly. If the LDAP attribute is missing or an invalid attribute was specified, the command will fail with an “Access denied” error message.

    In the case of domain controller certificates, certificates are always stored in the userCertificate attribute. However, user objects may also have certificates in the usercert or userSMIMEcertificate attribute from other applications such as Outlook, which use these attributes as the preferred attribute for storing certificates.

    A window will appear displaying the array of certificates on the user object. If the specified object contains certificates in the given attribute, the certificates are shown in the window. If no certificates are available, the list in the window will be empty.

  3. To remove a specific certificate, select the certificate and click OK.

    The window will close and a status message will be displayed at the command-line prompt similar to the following: “Deleted certificate <certificate subject name>” where the <certificate subject name> displays the subject name of the certificate.

  4. To close the window without deleting a certificate, click Cancel.