Export (0) Print
Expand All

Uninstall a certification authority

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To uninstall a certification authority

  1. Log on to the system as the user who installed the certification authority.

  2. Open Add or Remove Programs in Control Panel.

  3. Click Add/Remove Windows Components.

  4. In the Windows Components Wizard, clear the Certificate Services check box, and then click Next.

  5. If Internet Information Services is running, the system requests that you stop the service before proceeding with the uninstall process. If this happens, click OK.


  • To open Add/Remove Windows Components, click Start, click Control Panel, double-click Add or Remove programs, and then click Add/Remove Windows Components.

  • You should back up the entire server before uninstalling the certification authority (CA).

  • When you uninstall a CA, the following information is left on the server:

    • The CA database

    • The CA public and private keys

    • The CA's certificates in the Personal store

    • The CA's certificates in the shared folder, if a shared folder was specified during Certificate Services setup

    • The CA chain's root certificate in the Trusted Root Certification Authorities store

    • The CA chain's intermediate certificates in the Intermediate Certification Authorities store

    • The CA's certificate revocation list (CRL)

    This information is kept on the server by default, in case you are uninstalling and then reinstalling the CA. For example, you might uninstall and reinstall if you wanted to change a stand-alone CA to an enterprise CA.

  • If you installed the enterprise or enterprise subordinate certification authority as an Enterprise Admin or delegated user, then you must use the Enterprise Admin or delegated user account when you uninstall the certification authority.

  • If you are permanently decommissioning the CA before its expected expiration date, then the CA certificate should be revoked from its parent CA for a certificate revocation reason of "Cease of operation". If the CA is a self-signed root CA, then all of the certificates that have not expired should be revoked and a CRL generated with the same reason. This will indicate that the certificates are no longer valid because the CA has been decommissioned.

  • When uninstalling an enterprise CA, it is important that it be uninstalled properly to ensure that their CA enrollment object is removed from the Active Directory directory service. Failure to do so may result in Active Directory clients continuing to attempt to enroll against that CA. If an enterprise CA cannot be uninstalled normally, Active Directory tools should be used to manually remove the CA objects from Active Directory.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Community Additions

© 2016 Microsoft