OK, making some progress here. I can view the certificates published to AD in AD Sites and Services. You need to enable "Show Services nodes" first. Then navigate to Services->Public Key Services->AIA. There I can see the certificate, but no Root CA, which is good. But going down the rest of the objects, I see an entry for the server under CDP, Certification Authorities, and KRA.
I'm guessing I can just delete those objects? Anyone done this before? Chris Bodnar, MCSE Sr. Systems Engineer Infrastructure Service Delivery Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected] Phone: 610-807-6459 Fax: 610-807-6003 _____ From: Don Guyer [mailto:[email protected]] Sent: Wednesday, September 23, 2009 9:33 AM To: NT System Admin Issues Subject: RE: Intermediate Certification Authorities A quick Google showed that the Dell ITAssistant can use SSL for secure management of systems. Maybe it went out and inventoried hardware and pushed a cert to the machines? Don Guyer Systems Engineer - Information Services Prudential, Fox & Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 [email protected] From: Christopher Bodnar [mailto:[email protected]] Sent: Wednesday, September 23, 2009 8:33 AM To: NT System Admin Issues Subject: RE: Intermediate Certification Authorities Nothing that I can think of that would cause this. As I mentioned before, the only thing on that machine that used SSL was Dell ITAssistant, and I don't see how that could have pushed a certificate out to every machine in the domain without modifying a GPO or setting up a CA, which we don't have. For example most of our servers only get (1) GPO applied, the Default Domain Policy, and I've checked that, no reference to the certificate in there. I really need to track this down. Thanks for the help Chris Bodnar, MCSE Sr. Systems Engineer Infrastructure Service Delivery Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected] Phone: 610-807-6459 Fax: 610-807-6003 _____ From: [email protected] [mailto:[email protected]] Sent: Tuesday, September 22, 2009 8:15 PM To: NT System Admin Issues Subject: RE: Intermediate Certification Authorities Something had to have installed it somehow. What software have you installed on those machines that might have done this? Alternatively any GPOs that have done this? The actual certificate - does it give any clues as to what it's for or who issued it? Cheers Ken From: Christopher Bodnar [mailto:[email protected]] Sent: Wednesday, 23 September 2009 12:03 AM To: NT System Admin Issues Subject: Intermediate Certification Authorities Need help with this: Windows 2003 forest functional level. We currently do not have a PKI infrastructure. There is a certificate in every machines Intermediate Certification Authorities -> Certificates folder , and I'm not sure how it got there. I had a test server that I installed Dell IT Assistant on back in May. I believe the server generates a self signed certificate for SSL communication. Now that certificate is on every machine in the domain. I did NOT add it to any GPO. How is it getting there? Any thoughts? Thank you, Chris _____ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
