Uninstall a Certification Authority

Applies To: Windows Server 2008

There may be times when you need to uninstall a certification authority (CA). However, clients will not be able to send requests to this CA and some applications that depend on your public key infrastructure (PKI) may not function properly after a CA that is needed to verify the validity and revocation status of a certificate has been uninstalled.

If you are permanently decommissioning the CA before its expected expiration date, then the CA certificate should be revoked from its parent CA and you should list "Cease of operation" as the reason for the revocation. If the CA is a self-signed root CA, then all of the certificates issued by the CA that have not expired should be revoked and a certificate revocation list (CRL) should be generated that lists the same reason. This will indicate that the certificates are no longer valid because the CA has been decommissioned.

Uninstalling an enterprise CA should be done properly to ensure that its CA enrollment object is removed from Active Directory Domain Services (AD DS). Failure to do so may cause Active Directory clients to continue attempts to enroll for certificates from that CA. If an enterprise CA cannot be uninstalled normally, use the Enterprise PKI snap-in to manually remove the CA objects from AD DS.

If you are uninstalling an enterprise CA, membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To uninstall a CA

  1. Click Start, point to Administrative Tools, and click Server Manager.

  2. Under Roles Summary, click Remove Roles to start the Remove Roles Wizard. Click Next.

  3. Clear the Active Directory Certificate Services check box, and click Next.

  4. On the Confirm Removal Options page, review the information, and then click Remove.

  5. If Internet Information Services (IIS) is running and you are prompted to stop the service before proceeding with the uninstall process, click OK.

  6. After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.

The procedure is slightly different if you have multiple Active Directory Certificate Services (AD CS) role services installed on a single server. You can use the following procedure to uninstall a CA but retain other AD CS role services.

You must log on with the same permissions as the user who installed the CA to complete this procedure. If you are uninstalling an enterprise CA, membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To uninstall a CA role service

  1. Click Start, point to Administrative Tools, and click Server Manager.

  2. Under Roles Summary, click Active Directory Certificate Services.

  3. Under Roles Services, click Remove Role Services.

  4. Clear the Certification Authority check box, and click Next.

  5. On the Confirm Removal Options page, review the information, and then click Remove.

  6. If IIS is running and you are prompted to stop the service before proceeding with the uninstall process, click OK.

  7. After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.

If the remaining role services, such as the Online Responder service, were configured to use data from the uninstalled CA, you must reconfigure these services to support a different CA.

After a CA has been uninstalled, the following information is left on the server:

  • The CA database

  • The CA public and private keys

  • The CA's certificates in the Personal store

  • The CA's certificates in the shared folder, if a shared folder was specified during AD CS setup

  • The CA chain's root certificate in the Trusted Root Certification Authorities store

  • The CA chain's intermediate certificates in the Intermediate Certification Authorities store

  • The CA's CRL

This information is kept on the server by default, in case you are uninstalling and then reinstalling the CA. For example, you might uninstall and reinstall the CA if you want to change a stand-alone CA to an enterprise CA.

Additional references