You are currently offline, waiting for your internet to reconnect

How to remove a trusted Certificate Authority from computers in the domain

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Author:
Yuval Sinay MVP
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
SUMMARY
The following knowledgebase will help you to remove a trusted Certificate Authority from computers in the domain
SYMPTOMS
After you installed Enterprise Certificate Authority, the computers in your domain,
add the Enterprise Certificate Authority to the trusted Certificate Authority list
automatically.
After uninstall the Enterprise Certificate Authority, this trust doesn’t removed
automatically.
 
  • The same issue can occur if you publish a stand alone Certificate Authority
              as Certificate Authority by using Windows Group Policy.
 
  • Microsoft Knowledgebase 889250 present an option to use "Certutil.exe" as
               tool that can help to remove the trust in the old Certificate Authority.
               However, if you reinstall the Certificate Authority with the same name, this
               tool wouldn’t be helpful.
 
 
CAUSE
 
This issue occurs due to improper uninstalled process of  Enterprise Certificate Authority or
improper uninstalled process of Stand Alone Certificate Authority.
 
 
 
RESOLUTION
 
  1. Obtain the following files from the CAPICOM SDK and Windows 2003,
              save the in a new folder named "RemoveCA":
 
                 Capicom.dll
                 Certadm.dll
                 Cerutil.exe
 
    2. Copy the text bellow to a new file, named "login.bat":
 

 
Start of script
----------------------------------------------------------------------------------------------
 
cd\
md RemoveCA
copy %0\..\removeca.vbs c:\RemoveCA
copy %0\..\capicom.dll c:\RemoveCA
copy %0\..\certutil.exe c:\RemoveCA
copy %0\..\certadm.dll c:\RemoveCA
copy %0\..\remove.vbs c:\RemoveCA
 
cd RemoveCA
c:\windows\system32\regsvr32 capicom.dll /s
 
start /w c:\windows\system32\cscript remove.vbs
 
cd\
rd removeca /s /q
 
c:\windows\system32\regsvr32 -u capicom.dll /s
 
-----------------------------------------------------------------------------------------
End of script
 
 
    3. Copy the text bellow to a new file, named "Remove.vbs":

 
Start of script
---------------------------------------------------------------------------------------------------------------------------------------
 
VerifyHostIsCScript
 
DIM Store, Certificate
Dim uPublicKey
Dim uEncodedData
Const CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME       = 0
Const CAPICOM_MEMORY_STORE                        = 0
Const CAPICOM_LOCAL_MACHINE_STORE                 = 1
Const CAPICOM_CURRENT_USER_STORE                  = 2
Const CAPICOM_STORE_OPEN_READ_ONLY                = 0
Const CAPICOM_STORE_OPEN_EXISTING_ONLY            = 128
Const PublicKeyInput="30 32 02 0a 02 82 02 01 02 ba b5 30 43 26 58 ce 55 6f a6 58 91 da 99 2b d9 1c 43 f6 11 fe 55 00 4d 55 e6 0a 8f f0 2c e0 0f 4d 45 22 7e ac e2 92 76 47 d5 d6 af 36 a8 16 28 3f ff ce 05 82 b0 cf 86 1e b3 67 c2 8c 4a 42 91 5f 0a 7b 5f ba b4 66 e1 f5 36 af 22 92 00 6e cf 60 bb 47 25 b5 bb e1 84 c6 45 30 61 8e 2f ec 18 49 c8 a1 6a d9 83 32 ac fd e8 ed 92 76 e6 25 01 3b 8f e6 fb 02 73 c3 2b cb 05 2e 97 53 20 9f 36 51 db 13 f3 35 85 fa 5b a9 c0 7b b1 1c f8 aa ec e8 1e 43 8f 14 0f 91 1f b8 04 1c bc 1a b8 96 fa 96 0e 60 ff d7 9b 52 c5 97 90 78 9c d7 ab f6 aa 9a 1b 0e e6 2b 55 b5 2d b9 45 d0 11 06 68 94 ad 72 1e 78 1d b9 9d 4f 01 c0 00 49 09 6b 6f a8 fa a3 87 a4 25 13 5b ff a1 e0 b2 d8 d4 17 64 e5 62 2a 47 28 4a 84 37 6d 3b cb 41 e2 7c fa a4 1d 53 aa e6 db 18 51 fd 51 b2 e9 41 81 e0 70 11 0c 07 51 14 8d 89 29 4b 65 2b 0d de 28 8c 41 e3 e0 03 d0 80 3f 91 ad 37 02 25 53 a8 b9 e8 b2 4f ed cb 66 35 fe 31 a5 a5 9e b2 01 28 c3 89 81 56 f1 a2 8e 33 0a c9 c5 0b 98 e2 5d fb 34 0e f4 5e 23 43 f1 0b 9b 17 a0 2c be 81 c7 85 99 4a 75 a5 81 50 34 db b1 09 35 35 b3 97 9d da 1d 5f 57 cf 6f e2 0b 43 a6 b9 58 65 f2 5a a1 1c ca 87 34 38 18 a3 27 64 94 78 f4 b2 51 41 76 ca de 3c 27 05 24 06 18 ba 40 e8 1a f3 47 42 22 8f ef 3f 20 e1 2d 91 af 32 4a a1 9e 40 87 2c ab 26 1f d3 60 39 41 e2 56 44 dd 35 cc 25 32 d5 2d 51 71 32 2d fd 1a 06 3b e1 d2 54 e6 ad 0a c4 31 af ea 6e 78 59 93 94 8e ca c8 e2 fe 78 3a 30 4e cc bc be eb e1 9d d7 1b 34 40 fc 95 04 88 5b e0 50 98 b7 92 47 bb ea 92 47 62 54 02 73 b6 2d 29 8f df 98 b3 63 df d1 36 dc 84 3e 4f a4 7f 2a 60 58 8e c2 eb 2f 3f b9 02 03 01 00 01"
Set Store = CreateObject("CAPICOM.Store")
Store.Open 1, "root", CAPICOM_STORE_OPEN_READ_ONLY
WScript.Echo "COMPUTER - TRUSTED ROOT CERTIFICATION AUTHORITIES (" & Store.Certificates.Count & " certs)"
For Each Certificate In Store.Certificates
                'If Certificate.isValid = 0 then
                     'WScript.Echo Certificate.Display
                               uPublicKey = Certificate.PublicKey.EncodedKey.Format(1)
                               if not strcomp(uPublicKey,PublicKeyInput,0) <> 0 Then
 
                                               WScript.Echo "I believe the certificate with name: " & Certificate.GetInfo(0) & " should be deleted"
                                               WScript.Echo "Serial Number - " & Certificate.SerialNumber
                                               WScript.Echo "PublicKey - " & uPublicKey
                                               WScript.Echo "This certificate matches the public key and will be delete"
                                               strKind = "root"
                                               strCert = "COMPUTER - TRUSTED ROOT"
                                               DelWrongCert Certificate.SerialNumber, strKind, strCert
                               end if
                'End IF
Next
 
 
 
Sub DelWrongCert(strSerial, strKind, strCert)
 'intMsg = MsgBox("Do you want to delete the following certificate's serial number: " & VbCrLf & strSerial, 292, "Delete wrong " & strCert & " certificate")
 'If intMsg = 6 Then
  Dim objShell : Set objShell = CreateObject("WScript.Shell")
  strRun = "certutil -delstore " & strKind & " " & strSerial
'wscript.echo strRun
  intRun = objShell.Run(strRun, 0, True)
  If intRun <> 0 Then
   WScript.Echo "Deletion failed !"
  End If
  Set objShell = Nothing
 'End If
End Sub
 
Sub VerifyHostIsCScript()  
    If Not LCase(Mid(WScript.FullName, InstrRev(WScript.FullName, "\") + 1)) = "cscript.exe" Then
        MsgBox "You should run this script using CScript." & VbCrLf & _
             "It can be achieved by :" & VbCrLf & _
             "1. Using ''CScript " & WScript.ScriptName & "''." & vbCrLf & _
             "2. Changing the default Windows Scripting Host" & VbCrLf & _
             "    to CScript by running once ''CScript //H:CScript''."
        WScript.Quit
    End If
End Sub
 
 
---------------------------------------------------------------------------------------------------------------------------------------
End of script
 
 
  • The "Const PublicKeyInput" constant represent the Certificate of the Certificate Authority
 
              "Public Key" hash value.
 
 
  4. Copy the "login.bat" and "remove.vbs" file to the "RemoveCA" folder.
 
  5. Copy the "RemoveCA" folder to one of your domain controllers:
 
      C:\WINDOWS\SYSVOL\sysvol\<YourDomainName\Policies\{31B2F340-016D-11D2-94
 
          5F-00C04FB984F9}\MACHINE\Scripts\Startup.
 
  6. Wait for complete Active Directory replication.
 
  7. Use GPMC to edit the "Default Domain Policy":

        and a new computer startup script:
 
       "Computer Configuration" -> "Windows settings" -> "Scripts" -> "Startup".

       When configuring the script policy, browse to the folder mention above
               
        and point to the "login.bat" file.
 
  8. Wait for complete Active Directory replication.
 
  9. After computer reboot, the old Certificate Authority will be removed.
 
 
 
Script Overview:
 
    a. Create a new folder in the user computer; "C:\RemoveCA"
 
    b. It then copies 4 file to this folder: "Capicom.dll", "Certadm.dll",

             "Cerutil.exe" and "Remove.vbs".
 
    c. Register the "capicom.dll" and use the "Certutil.exe" command to delete
 
              the old Certificate Authority
 
    d. .Unregister "capicom.dll" and remove the "C:\RemoveCA"
             folder.
 
 
 
MORE INFORMATION
 
Platform SDK Redistributable: CAPICOM
 

 
How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server
 

 

 
Properties

Article ID: 555894 - Last Review: 03/29/2007 11:17:08 - Revision: 1.0

Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

  • kbpubmvp kbpubtypecca kbhowto KB555894
Feedback
PV = 1; var varClickTracking = 1; var varCustomerTracking = 1; var Route = "76500"; var Ctrl = ""; document.write(" " class="ng-binding" id="language-es-py">Paraguay - Español
Venezuela - Español
//c1.microsoft.com/c.gif?DI=4050&did=1&t="> var varCustomerTracking = 1; var Route = "76500"; var Ctrl = ""; document.write(" ')[0].appendChild(m);" onload="var m=document.createElement('meta');m.name='ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src="http://c1.microsoft.com/c.gif?"> >>