How to remove a trusted Certificate Authority from computers in the domain

After you installed Enterprise Certificate Authority, the computers in your domain,
add the Enterprise Certificate Authority to the trusted Certificate Authority list
automatically.
After uninstall the Enterprise Certificate Authority, this trust doesn�t removed
automatically.
�

• The same issue can occur if you publish a stand alone Certificate Authority
  

������������� as Certificate Authority by using Windows Group Policy.
�

• Microsoft Knowledgebase 889250 present an option to use "Certutil.exe" as
  

���������������tool that can help to remove the trust in the old Certificate Authority.
�������������� However, if you reinstall the Certificate Authority with the same name, this
�������������� tool wouldn�t be helpful.
�
�

�
This issue occurs due to improper uninstalled process of �Enterprise Certificate Authority or
improper uninstalled process�of Stand Alone Certificate Authority.
�
�
�

�

1. Obtain the following files from�the CAPICOM SDK and Windows 2003,
   

������������ �save the in a new folder named "RemoveCA":
�
���������������� Capicom.dll
���������������� Certadm.dll
���������������� Cerutil.exe
�
��� 2. Copy the text bellow to a new file, named "login.bat":
�

�
Start of script
----------------------------------------------------------------------------------------------
�
cd\
md RemoveCA
copy %0\..\removeca.vbs c:\RemoveCA
copy %0\..\capicom.dll c:\RemoveCA
copy %0\..\certutil.exe c:\RemoveCA
copy %0\..\certadm.dll c:\RemoveCA
copy %0\..\remove.vbs c:\RemoveCA
�
cd RemoveCA
c:\windows\system32\regsvr32 capicom.dll /s
�
start /w c:\windows\system32\cscript remove.vbs
�
cd\
rd removeca /s /q
�
c:\windows\system32\regsvr32 -u capicom.dll /s
�
-----------------------------------------------------------------------------------------
End of script
�
�
��� 3. Copy the text bellow to a new file, named "Remove.vbs":

�
Start of script
---------------------------------------------------------------------------------------------------------------------------------------
�
VerifyHostIsCScript
�
DIM Store, Certificate
Dim uPublicKey
Dim uEncodedData
Const CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME������ = 0
Const CAPICOM_MEMORY_STORE����������������������� = 0
Const CAPICOM_LOCAL_MACHINE_STORE���������������� = 1
Const CAPICOM_CURRENT_USER_STORE����������������� = 2
Const CAPICOM_STORE_OPEN_READ_ONLY��������������� = 0
Const CAPICOM_STORE_OPEN_EXISTING_ONLY����������� = 128
Const PublicKeyInput="30 32 02 0a 02 82 02 01 02 ba b5 30 43 26 58 ce 55 6f a6 58 91 da 99 2b d9 1c 43 f6 11 fe 55 00 4d 55 e6 0a 8f f0 2c e0 0f 4d 45 22 7e ac e2 92 76 47 d5 d6 af 36 a8 16 28 3f ff ce 05 82 b0 cf 86 1e b3 67 c2 8c 4a 42 91 5f 0a 7b 5f ba b4 66 e1 f5 36 af 22 92 00 6e cf 60 bb 47 25 b5 bb e1 84 c6 45 30 61 8e 2f ec 18 49 c8 a1 6a d9 83 32 ac fd e8 ed 92 76 e6 25 01 3b 8f e6 fb 02 73 c3 2b cb 05 2e 97 53 20 9f 36 51 db 13 f3 35 85 fa 5b a9 c0 7b b1 1c f8 aa ec e8 1e 43 8f 14 0f 91 1f b8 04 1c bc 1a b8 96 fa 96 0e 60 ff d7 9b 52 c5 97 90 78 9c d7 ab f6 aa 9a 1b 0e e6 2b 55 b5 2d b9 45 d0 11 06 68 94 ad 72 1e 78 1d b9 9d 4f 01 c0 00 49 09 6b 6f a8 fa a3 87 a4 25 13 5b ff a1 e0 b2 d8 d4 17 64 e5 62 2a 47 28 4a 84 37 6d 3b cb 41 e2 7c fa a4 1d 53 aa e6 db 18 51 fd 51 b2 e9 41 81 e0 70 11 0c 07 51 14 8d 89 29 4b 65 2b 0d de 28 8c 41 e3 e0 03 d0 80 3f 91 ad 37 02 25 53 a8 b9 e8 b2 4f ed cb 66 35 fe 31 a5 a5 9e b2 01 28 c3 89 81 56 f1 a2 8e 33 0a c9 c5 0b 98 e2 5d fb 34 0e f4 5e 23 43 f1 0b 9b 17 a0 2c be 81 c7 85 99 4a 75 a5 81 50 34 db b1 09 35 35 b3 97 9d da 1d 5f 57 cf 6f e2 0b 43 a6 b9 58 65 f2 5a a1 1c ca 87 34 38 18 a3 27 64 94 78 f4 b2 51 41 76 ca de 3c 27 05 24 06 18 ba 40 e8 1a f3 47 42 22 8f ef 3f 20 e1 2d 91 af 32 4a a1 9e 40 87 2c ab 26 1f d3 60 39 41 e2 56 44 dd 35 cc 25 32 d5 2d 51 71 32 2d fd 1a 06 3b e1 d2 54 e6 ad 0a c4 31 af ea 6e 78 59 93 94 8e ca c8 e2 fe 78 3a 30 4e cc bc be eb e1 9d d7 1b 34 40 fc 95 04 88 5b e0 50 98 b7 92 47 bb ea 92 47 62 54 02 73 b6 2d 29 8f df 98 b3 63 df d1 36 dc 84 3e 4f a4 7f 2a 60 58 8e c2 eb 2f 3f b9 02 03 01 00 01"
Set Store = CreateObject("CAPICOM.Store")
Store.Open 1, "root", CAPICOM_STORE_OPEN_READ_ONLY
WScript.Echo "COMPUTER - TRUSTED ROOT CERTIFICATION AUTHORITIES (" & Store.Certificates.Count & " certs)"
For Each Certificate In Store.Certificates
��������������� 'If Certificate.isValid = 0 then
�������������������� 'WScript.Echo Certificate.Display
������������������������������ uPublicKey = Certificate.PublicKey.EncodedKey.Format(1)
������������������������������ if not strcomp(uPublicKey,PublicKeyInput,0) <> 0 Then
�
���������������������������������������������� WScript.Echo "I believe the certificate with name: " & Certificate.GetInfo(0) & " should be deleted"
���������������������������������������������� WScript.Echo "Serial Number - " & Certificate.SerialNumber
���������������������������������������������� WScript.Echo "PublicKey - " & uPublicKey
���������������������������������������������� WScript.Echo "This certificate matches the public key and will be delete"
���������������������������������������������� strKind = "root"
���������������������������������������������� strCert = "COMPUTER - TRUSTED ROOT"
���������������������������������������������� DelWrongCert Certificate.SerialNumber, strKind, strCert
������������������������������ end if
��������������� 'End IF
Next
�
�
�
Sub DelWrongCert(strSerial, strKind, strCert)
�'intMsg = MsgBox("Do you want to delete the following certificate's serial number: " & VbCrLf & strSerial, 292, "Delete wrong " & strCert & " certificate")
�'If intMsg = 6 Then
��Dim objShell : Set objShell = CreateObject("WScript.Shell")
��strRun = "certutil -delstore " & strKind & " " & strSerial
'wscript.echo strRun
��intRun = objShell.Run(strRun, 0, True)
��If intRun <> 0 Then
���WScript.Echo "Deletion failed !"
��End If
��Set objShell = Nothing
�'End If
End Sub
�
Sub VerifyHostIsCScript()��
��� If Not LCase(Mid(WScript.FullName, InstrRev(WScript.FullName, "\") + 1)) = "cscript.exe" Then
������� MsgBox "You should run this script using CScript." & VbCrLf & _
������������ "It can be achieved by :" & VbCrLf & _
������������ "1. Using ''CScript " & WScript.ScriptName & "''." & vbCrLf & _
������������ "2. Changing the default Windows Scripting Host" & VbCrLf & _
������������ "��� to CScript by running once ''CScript //H:CScript''."
������� WScript.Quit
��� End If
End Sub
�
�
---------------------------------------------------------------------------------------------------------------------------------------
End of script
�
�

• The "Const PublicKeyInput" constant represent the Certificate of the Certificate Authority
  

�
������������ �"Public Key" hash value.
�
�
� 4. Copy the "login.bat" and "remove.vbs" file to the "RemoveCA" folder.
�
� 5. Copy the "RemoveCA" folder to one of your domain controllers:
�
����� C:\WINDOWS\SYSVOL\sysvol\<YourDomainName\Policies\{31B2F340-016D-11D2-94
�
��������� 5F-00C04FB984F9}\MACHINE\Scripts\Startup.
�
� 6. Wait for complete Active Directory replication.
�
� 7. Use GPMC to edit the "Default Domain Policy":

������� and a new computer startup script:
�
������ "Computer Configuration" -> "Windows settings" -> "Scripts" -> "Startup".

������ When configuring the script policy, browse to the folder mention above
���������������
������� and point to the "login.bat" file.
�
� 8. Wait for complete Active Directory replication.
�
� 9. After computer reboot, the old Certificate Authority will be removed.
�
�
�
Script Overview:
�
��� a. Create a new folder in the user computer; "C:\RemoveCA"
�
��� b.�It then copies 4 file to this folder: "Capicom.dll", "Certadm.dll",

������������ "Cerutil.exe" and "Remove.vbs".
�
��� c. Register the "capicom.dll" and use the "Certutil.exe" command to delete
�
������������� the old Certificate Authority
�
�� �d. .Unregister "capicom.dll" and remove the "C:\RemoveCA"
������������ folder.
�
�
�

�
Platform SDK Redistributable: CAPICOM
�
http://www.microsoft.com/downloads/details.aspx?FamilyID=860ee43a-a843-462f-abb5-ff88ea5896f6&DisplayLang=en
�
How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server
�
http://support.microsoft.com/kb/889250
�

�

Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.