*I posted this when NTSYSADMIN list was on spamcop and am reposting now...*
Group, We have two Enterprise Root CA's and need to remove one. The one I want to remove has only three computer certificates issued via an auto enrollment Group Policy, for VPN. After some googling, I see that I might be able to start the Cert Authority MMC on the bad CA, navigate to Certification Templates, then delete all of them. This should force the machines to renew them on the other root CA server. I ran certutil per http://support.microsoft.com/kb/555529 to find that I have two of these. Per http://forums.techarena.in/microsoft-security/934673.htm and http://groups.google.com/group/microsoft.public.windows.server.security/browse_thread/thread/af6cb6614c34f88f/5414636b3d971257?hl=en&lnk=st&q=delete+%22enterprise+root+ca%22#5414636b3d971257I can delete all templates and let them expire. This seems very heavy handed. Is this a safe way to proceed? This is an Enterprise Root CA for a 2003 Active Directory. I only have three certs to replace, I wonder if I can just revoke them one-by-one while I have the laptops in my possession, stop the cert service on the bad CA, then let the GPO issue a new computer cert on the good CA. Then after the three certs are reissued, uninstall Cert Services from the bad server (decomission it via http://support.microsoft.com/kb/889250). -Devin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
