Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to remove a trusted Certificate Authority from computers in the domain


Author: Yuval Sinay MVP

View products that this article applies to.

Summary

The following knowledgebase will help you to remove a trusted Certificate Authority from computers in the domain

↑ Back to the top


Symptoms

After you installed Enterprise Certificate Authority, the computers in your domain,
add the Enterprise Certificate Authority to the trusted Certificate Authority list
automatically.
After uninstall the Enterprise Certificate Authority, this trust doesn�t removed
automatically.

  • The same issue can occur if you publish a stand alone Certificate Authority
������������� as Certificate Authority by using Windows Group Policy.

  • Microsoft Knowledgebase 889250 present an option to use "Certutil.exe" as
���������������tool that can help to remove the trust in the old Certificate Authority.
�������������� However, if you reinstall the Certificate Authority with the same name, this
�������������� tool wouldn�t be helpful.


↑ Back to the top


Cause


This issue occurs due to improper uninstalled process of �Enterprise Certificate Authority or
improper uninstalled process�of Stand Alone Certificate Authority.



↑ Back to the top


Resolution


  1. Obtain the following files from�the CAPICOM SDK and Windows 2003,
������������ �save the in a new folder named "RemoveCA":

���������������� Capicom.dll
���������������� Certadm.dll
���������������� Cerutil.exe

��� 2. Copy the text bellow to a new file, named "login.bat":



Start of script
----------------------------------------------------------------------------------------------

cd\
md RemoveCA
copy %0\..\removeca.vbs c:\RemoveCA
copy %0\..\capicom.dll c:\RemoveCA
copy %0\..\certutil.exe c:\RemoveCA
copy %0\..\certadm.dll c:\RemoveCA
copy %0\..\remove.vbs c:\RemoveCA

cd RemoveCA
c:\windows\system32\regsvr32 capicom.dll /s

start /w c:\windows\system32\cscript remove.vbs

cd\
rd removeca /s /q

c:\windows\system32\regsvr32 -u capicom.dll /s

-----------------------------------------------------------------------------------------
End of script


��� 3. Copy the text bellow to a new file, named "Remove.vbs":


Start of script
---------------------------------------------------------------------------------------------------------------------------------------

VerifyHostIsCScript

DIM Store, Certificate
Dim uPublicKey
Dim uEncodedData
Const CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME������ = 0
Const CAPICOM_MEMORY_STORE����������������������� = 0
Const CAPICOM_LOCAL_MACHINE_STORE���������������� = 1
Const CAPICOM_CURRENT_USER_STORE����������������� = 2
Const CAPICOM_STORE_OPEN_READ_ONLY��������������� = 0
Const CAPICOM_STORE_OPEN_EXISTING_ONLY����������� = 128
Const PublicKeyInput="30 32 02 0a 02 82 02 01 02 ba b5 30 43 26 58 ce 55 6f a6 58 91 da 99 2b d9 1c 43 f6 11 fe 55 00 4d 55 e6 0a 8f f0 2c e0 0f 4d 45 22 7e ac e2 92 76 47 d5 d6 af 36 a8 16 28 3f ff ce 05 82 b0 cf 86 1e b3 67 c2 8c 4a 42 91 5f 0a 7b 5f ba b4 66 e1 f5 36 af 22 92 00 6e cf 60 bb 47 25 b5 bb e1 84 c6 45 30 61 8e 2f ec 18 49 c8 a1 6a d9 83 32 ac fd e8 ed 92 76 e6 25 01 3b 8f e6 fb 02 73 c3 2b cb 05 2e 97 53 20 9f 36 51 db 13 f3 35 85 fa 5b a9 c0 7b b1 1c f8 aa ec e8 1e 43 8f 14 0f 91 1f b8 04 1c bc 1a b8 96 fa 96 0e 60 ff d7 9b 52 c5 97 90 78 9c d7 ab f6 aa 9a 1b 0e e6 2b 55 b5 2d b9 45 d0 11 06 68 94 ad 72 1e 78 1d b9 9d 4f 01 c0 00 49 09 6b 6f a8 fa a3 87 a4 25 13 5b ff a1 e0 b2 d8 d4 17 64 e5 62 2a 47 28 4a 84 37 6d 3b cb 41 e2 7c fa a4 1d 53 aa e6 db 18 51 fd 51 b2 e9 41 81 e0 70 11 0c 07 51 14 8d 89 29 4b 65 2b 0d de 28 8c 41 e3 e0 03 d0 80 3f 91 ad 37 02 25 53 a8 b9 e8 b2 4f ed cb 66 35 fe 31 a5 a5 9e b2 01 28 c3 89 81 56 f1 a2 8e 33 0a c9 c5 0b 98 e2 5d fb 34 0e f4 5e 23 43 f1 0b 9b 17 a0 2c be 81 c7 85 99 4a 75 a5 81 50 34 db b1 09 35 35 b3 97 9d da 1d 5f 57 cf 6f e2 0b 43 a6 b9 58 65 f2 5a a1 1c ca 87 34 38 18 a3 27 64 94 78 f4 b2 51 41 76 ca de 3c 27 05 24 06 18 ba 40 e8 1a f3 47 42 22 8f ef 3f 20 e1 2d 91 af 32 4a a1 9e 40 87 2c ab 26 1f d3 60 39 41 e2 56 44 dd 35 cc 25 32 d5 2d 51 71 32 2d fd 1a 06 3b e1 d2 54 e6 ad 0a c4 31 af ea 6e 78 59 93 94 8e ca c8 e2 fe 78 3a 30 4e cc bc be eb e1 9d d7 1b 34 40 fc 95 04 88 5b e0 50 98 b7 92 47 bb ea 92 47 62 54 02 73 b6 2d 29 8f df 98 b3 63 df d1 36 dc 84 3e 4f a4 7f 2a 60 58 8e c2 eb 2f 3f b9 02 03 01 00 01"
Set Store = CreateObject("CAPICOM.Store")
Store.Open 1, "root", CAPICOM_STORE_OPEN_READ_ONLY
WScript.Echo "COMPUTER - TRUSTED ROOT CERTIFICATION AUTHORITIES (" & Store.Certificates.Count & " certs)"
For Each Certificate In Store.Certificates
��������������� 'If Certificate.isValid = 0 then
�������������������� 'WScript.Echo Certificate.Display
������������������������������ uPublicKey = Certificate.PublicKey.EncodedKey.Format(1)
������������������������������ if not strcomp(uPublicKey,PublicKeyInput,0) <> 0 Then

���������������������������������������������� WScript.Echo "I believe the certificate with name: " & Certificate.GetInfo(0) & " should be deleted"
���������������������������������������������� WScript.Echo "Serial Number - " & Certificate.SerialNumber
���������������������������������������������� WScript.Echo "PublicKey - " & uPublicKey
���������������������������������������������� WScript.Echo "This certificate matches the public key and will be delete"
���������������������������������������������� strKind = "root"
���������������������������������������������� strCert = "COMPUTER - TRUSTED ROOT"
���������������������������������������������� DelWrongCert Certificate.SerialNumber, strKind, strCert
������������������������������ end if
��������������� 'End IF
Next



Sub DelWrongCert(strSerial, strKind, strCert)
�'intMsg = MsgBox("Do you want to delete the following certificate's serial number: " & VbCrLf & strSerial, 292, "Delete wrong " & strCert & " certificate")
�'If intMsg = 6 Then
��Dim objShell : Set objShell = CreateObject("WScript.Shell")
��strRun = "certutil -delstore " & strKind & " " & strSerial
'wscript.echo strRun
��intRun = objShell.Run(strRun, 0, True)
��If intRun <> 0 Then
���WScript.Echo "Deletion failed !"
��End If
��Set objShell = Nothing
�'End If
End Sub

Sub VerifyHostIsCScript()��
��� If Not LCase(Mid(WScript.FullName, InstrRev(WScript.FullName, "\") + 1)) = "cscript.exe" Then
������� MsgBox "You should run this script using CScript." & VbCrLf & _
������������ "It can be achieved by :" & VbCrLf & _
������������ "1. Using ''CScript " & WScript.ScriptName & "''." & vbCrLf & _
������������ "2. Changing the default Windows Scripting Host" & VbCrLf & _
������������ "��� to CScript by running once ''CScript //H:CScript''."
������� WScript.Quit
��� End If
End Sub


---------------------------------------------------------------------------------------------------------------------------------------
End of script


  • The "Const PublicKeyInput" constant represent the Certificate of the Certificate Authority

������������ �"Public Key" hash value.


� 4. Copy the "login.bat" and "remove.vbs" file to the "RemoveCA" folder.

� 5. Copy the "RemoveCA" folder to one of your domain controllers:

����� C:\WINDOWS\SYSVOL\sysvol\<YourDomainName\Policies\{31B2F340-016D-11D2-94

��������� 5F-00C04FB984F9}\MACHINE\Scripts\Startup.

� 6. Wait for complete Active Directory replication.

� 7. Use GPMC to edit the "Default Domain Policy":

������� and a new computer startup script:

������ "Computer Configuration" -> "Windows settings" -> "Scripts" -> "Startup".

������ When configuring the script policy, browse to the folder mention above
���������������
������� and point to the "login.bat" file.

� 8. Wait for complete Active Directory replication.

� 9. After computer reboot, the old Certificate Authority will be removed.



Script Overview:

��� a. Create a new folder in the user computer; "C:\RemoveCA"

��� b.�It then copies 4 file to this folder: "Capicom.dll", "Certadm.dll",

������������ "Cerutil.exe" and "Remove.vbs".

��� c. Register the "capicom.dll" and use the "Certutil.exe" command to delete

������������� the old Certificate Authority

�� �d. .Unregister "capicom.dll" and remove the "C:\RemoveCA"
������������ folder.



↑ Back to the top


More information


Platform SDK Redistributable: CAPICOM

http://www.microsoft.com/downloads/details.aspx?FamilyID=860ee43a-a843-462f-abb5-ff88ea5896f6&DisplayLang=en

How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server

http://support.microsoft.com/kb/889250



↑ Back to the top


Properties

COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

↑ Back to the top


Community solutions content disclaimer

Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.

↑ Back to the top


Keywords: KB555894, kbhowto, kbpubtypecca, kbpubmvp

↑ Back to the top

Article Info
Article ID : 555894
Revision : 1
Created on : 3/29/2007
Published on : 3/29/2007
Exists online : False
Views : 308