Good morning,
I have the task to decommission a Root Certification Authority from an environment with additional Root CA(s) in an online state.
The process being followed is using the url https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects#step-6---remove-ca-objects-from-active-directory
This guide is quite clear and tested in a lab, however, I have two questions that I would appreciate your expertise.
1. The CA to be decommissioned has its service stopped. The guide advises to delete issued certificates and increase the CRL, this is not possible when the service has been stopped.
IF I enable the service to apply the changes how can I ensure that this server will NOT issue certificates to users and/or computers as it currently has an ACTIVE certificate present in its personal store.
2. As per step 5 of the guide to locate then remove the private key the command certutil -keyis issued. This does not show the key. Forums suggest this as an issue with Server 2012R2.
I plan on exporting the Root CA certificate (and private key) from Local Computer/Personal/Certificates then deleting this certificate. The guide will continue to be processed in order. Will this achieve the same outcome?
I have completed this in a test lab and all appears well?
Thank you.
