This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 81%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
This is related to my previous question about Old Root CA certificate that appears in trusted root cert store of my servers/ computers.
I check the Group policy and the old Root certificate is not published there.
So probably that the Root CA certificate was published in AD via CERTUTIL -DSPUBLISH, also the Old certificate is Publish not only in CN=Certification Authorities. But also in CN=AIA, CN=Enrollement Services and CN=KRA. Also the old PKI server is also in CN=CDP.
I also launch Enterprise PKI > Manage AD containers and i see the objects there
What is the best way to clean this up So that new servers will not get that Expired Certificate?
What is the best way also to cleanup the one in production?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 30%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
How to remove old CA version from new CA?
I also launch Enterprise PKI > Manage AD containers and i see the objects there
use this Manage AD Containers dialog to cleanup old CA certificate from AD.
Will that also remove the Old CA from the client?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
To remove the old CA, we could refer to:
How to decommission a Windows enterprise certification authority and remove all related objects
https://support.microsoft.com/en-in/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-r
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
Hello,
Have we checked the provided information? Hope it is helpful. For any question, please reply and tell us the current situation in order to provide further help.
Thank you so much for your support.
Best regards,
Hannah Xiong