How to remove a trusted Certificate Authority from computers in the domain

Author: Yuval Sinay MVP

Community Solutions Content Disclaimer

View products that this article applies to.

Expand all | Collapse all

SUMMARY

The following knowledgebase will help you to remove a trusted Certificate Authority from computers in the domain

Back to the top

After you installed Enterprise Certificate Authority, the computers in your domain,
add the Enterprise Certificate Authority to the trusted Certificate Authority list
automatically.
After uninstall the Enterprise Certificate Authority, this trust doesn’t removed
automatically.

The same issue can occur if you publish a stand alone Certificate Authority

as Certificate Authority by using Windows Group Policy.

Microsoft Knowledgebase 889250 present an option to use "Certutil.exe" as

               tool that can help to remove the trust in the old Certificate Authority.
               However, if you reinstall the Certificate Authority with the same name, this
               tool wouldn’t be helpful.

Back to the top

CAUSE

This issue occurs due to improper uninstalled process of Enterprise Certificate Authority or
improper uninstalled process of Stand Alone Certificate Authority.

Back to the top

RESOLUTION

Obtain the following files from the CAPICOM SDK and Windows 2003,

             save the in a new folder named "RemoveCA":

                 Capicom.dll
                 Certadm.dll
                 Cerutil.exe

    2. Copy the text bellow to a new file, named "login.bat":

Start of script
----------------------------------------------------------------------------------------------

cd\
md RemoveCA
copy %0\..\removeca.vbs c:\RemoveCA
copy %0\..\capicom.dll c:\RemoveCA
copy %0\..\certutil.exe c:\RemoveCA
copy %0\..\certadm.dll c:\RemoveCA
copy %0\..\remove.vbs c:\RemoveCA

cd RemoveCA
c:\windows\system32\regsvr32 capicom.dll /s

start /w c:\windows\system32\cscript remove.vbs

cd\
rd removeca /s /q

c:\windows\system32\regsvr32 -u capicom.dll /s

-----------------------------------------------------------------------------------------
End of script

    3. Copy the text bellow to a new file, named "Remove.vbs":

Start of script
---------------------------------------------------------------------------------------------------------------------------------------

VerifyHostIsCScript

DIM Store, Certificate
Dim uPublicKey
Dim uEncodedData
Const CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME       = 0
Const CAPICOM_MEMORY_STORE                        = 0
Const CAPICOM_LOCAL_MACHINE_STORE                 = 1
Const CAPICOM_CURRENT_USER_STORE                  = 2
Const CAPICOM_STORE_OPEN_READ_ONLY                = 0
Const CAPICOM_STORE_OPEN_EXISTING_ONLY            = 128
Const PublicKeyInput="30 32 02 0a 02 82 02 01 02 ba b5 30 43 26 58 ce 55 6f a6 58 91 da 99 2b d9 1c 43 f6 11 fe 55 00 4d 55 e6 0a 8f f0 2c e0 0f 4d 45 22 7e ac e2 92 76 47 d5 d6 af 36 a8 16 28 3f ff ce 05 82 b0 cf 86 1e b3 67 c2 8c 4a 42 91 5f 0a 7b 5f ba b4 66 e1 f5 36 af 22 92 00 6e cf 60 bb 47 25 b5 bb e1 84 c6 45 30 61 8e 2f ec 18 49 c8 a1 6a d9 83 32 ac fd e8 ed 92 76 e6 25 01 3b 8f e6 fb 02 73 c3 2b cb 05 2e 97 53 20 9f 36 51 db 13 f3 35 85 fa 5b a9 c0 7b b1 1c f8 aa ec e8 1e 43 8f 14 0f 91 1f b8 04 1c bc 1a b8 96 fa 96 0e 60 ff d7 9b 52 c5 97 90 78 9c d7 ab f6 aa 9a 1b 0e e6 2b 55 b5 2d b9 45 d0 11 06 68 94 ad 72 1e 78 1d b9 9d 4f 01 c0 00 49 09 6b 6f a8 fa a3 87 a4 25 13 5b ff a1 e0 b2 d8 d4 17 64 e5 62 2a 47 28 4a 84 37 6d 3b cb 41 e2 7c fa a4 1d 53 aa e6 db 18 51 fd 51 b2 e9 41 81 e0 70 11 0c 07 51 14 8d 89 29 4b 65 2b 0d de 28 8c 41 e3 e0 03 d0 80 3f 91 ad 37 02 25 53 a8 b9 e8 b2 4f ed cb 66 35 fe 31 a5 a5 9e b2 01 28 c3 89 81 56 f1 a2 8e 33 0a c9 c5 0b 98 e2 5d fb 34 0e f4 5e 23 43 f1 0b 9b 17 a0 2c be 81 c7 85 99 4a 75 a5 81 50 34 db b1 09 35 35 b3 97 9d da 1d 5f 57 cf 6f e2 0b 43 a6 b9 58 65 f2 5a a1 1c ca 87 34 38 18 a3 27 64 94 78 f4 b2 51 41 76 ca de 3c 27 05 24 06 18 ba 40 e8 1a f3 47 42 22 8f ef 3f 20 e1 2d 91 af 32 4a a1 9e 40 87 2c ab 26 1f d3 60 39 41 e2 56 44 dd 35 cc 25 32 d5 2d 51 71 32 2d fd 1a 06 3b e1 d2 54 e6 ad 0a c4 31 af ea 6e 78 59 93 94 8e ca c8 e2 fe 78 3a 30 4e cc bc be eb e1 9d d7 1b 34 40 fc 95 04 88 5b e0 50 98 b7 92 47 bb ea 92 47 62 54 02 73 b6 2d 29 8f df 98 b3 63 df d1 36 dc 84 3e 4f a4 7f 2a 60 58 8e c2 eb 2f 3f b9 02 03 01 00 01"
Set Store = CreateObject("CAPICOM.Store")
Store.Open 1, "root", CAPICOM_STORE_OPEN_READ_ONLY
WScript.Echo "COMPUTER - TRUSTED ROOT CERTIFICATION AUTHORITIES (" & Store.Certificates.Count & " certs)"
For Each Certificate In Store.Certificates
                'If Certificate.isValid = 0 then
                     'WScript.Echo Certificate.Display
                               uPublicKey = Certificate.PublicKey.EncodedKey.Format(1)
                               if not strcomp(uPublicKey,PublicKeyInput,0) <> 0 Then

                                               WScript.Echo "I believe the certificate with name: " & Certificate.GetInfo(0) & " should be deleted"
                                               WScript.Echo "Serial Number - " & Certificate.SerialNumber
                                               WScript.Echo "PublicKey - " & uPublicKey
                                               WScript.Echo "This certificate matches the public key and will be delete"
                                               strKind = "root"
                                               strCert = "COMPUTER - TRUSTED ROOT"
                                               DelWrongCert Certificate.SerialNumber, strKind, strCert
                               end if
                'End IF
Next

Sub DelWrongCert(strSerial, strKind, strCert)
'intMsg = MsgBox("Do you want to delete the following certificate's serial number: " & VbCrLf & strSerial, 292, "Delete wrong " & strCert & " certificate")
'If intMsg = 6 Then
  Dim objShell : Set objShell = CreateObject("WScript.Shell")
  strRun = "certutil -delstore " & strKind & " " & strSerial
'wscript.echo strRun
  intRun = objShell.Run(strRun, 0, True)
  If intRun <> 0 Then
   WScript.Echo "Deletion failed !"
  End If
  Set objShell = Nothing
'End If
End Sub

Sub VerifyHostIsCScript()
    If Not LCase(Mid(WScript.FullName, InstrRev(WScript.FullName, "\") + 1)) = "cscript.exe" Then
        MsgBox "You should run this script using CScript." & VbCrLf & _
             "It can be achieved by :" & VbCrLf & _
             "1. Using ''CScript " & WScript.ScriptName & "''." & vbCrLf & _
             "2. Changing the default Windows Scripting Host" & VbCrLf & _
             "    to CScript by running once ''CScript //H:CScript''."
        WScript.Quit
    End If
End Sub

---------------------------------------------------------------------------------------------------------------------------------------
End of script

The "Const PublicKeyInput" constant represent the Certificate of the Certificate Authority

             "Public Key" hash value.

4. Copy the "login.bat" and "remove.vbs" file to the "RemoveCA" folder.

5. Copy the "RemoveCA" folder to one of your domain controllers:

      C:\WINDOWS\SYSVOL\sysvol\<YourDomainName\Policies\{31B2F340-016D-11D2-94

          5F-00C04FB984F9}\MACHINE\Scripts\Startup.

6. Wait for complete Active Directory replication.

7. Use GPMC to edit the "Default Domain Policy":

        and a new computer startup script:

       "Computer Configuration" -> "Windows settings" -> "Scripts" -> "Startup".

       When configuring the script policy, browse to the folder mention above

        and point to the "login.bat" file.

8. Wait for complete Active Directory replication.

9. After computer reboot, the old Certificate Authority will be removed.

Script Overview:

    a. Create a new folder in the user computer; "C:\RemoveCA"

    b. It then copies 4 file to this folder: "Capicom.dll", "Certadm.dll",

             "Cerutil.exe" and "Remove.vbs".

    c. Register the "capicom.dll" and use the "Certutil.exe" command to delete

              the old Certificate Authority

   d. .Unregister "capicom.dll" and remove the "C:\RemoveCA"
             folder.

Back to the top

MORE INFORMATION

Platform SDK Redistributable: CAPICOM

http://www.microsoft.com/downloads/details.aspx?FamilyID=860ee43a-a843-462f-abb5-ff88ea5896f6&DisplayLang=en

How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server

http://support.microsoft.com/kb/889250

Back to the top

APPLIES TO

Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

Back to the top

kbpubmvp kbpubtypecca kbhowto KB555894

Back to the top

COMMUNITY SOLUTIONS CONTENT DISCLAIMER

MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

Back to the top