Home‎ > ‎Software‎ > ‎Microsoft‎ > ‎

Certificate Authority

Find CA Server

 In AD find the Members of the "Cert Publishers" group

Determine CA Type


Log on to the CA Server and open a command prompt

certutil -dump
Config: 'server.blah.com\blah.com'

based on the output of that command build the next command

certutil -cainfo -config $CONFIG type

certutil -cainfo -config server.blah.com\blah.com type

Uninstall CA

  1. Stop CA service on certificate server and observe the behavior (events, failures on DCs, clients).
  2. If CA service is left started, keep a check on Issued Certificates container on CA server, observe if any additional certificates are issued.


  1. How to decommission a Windows enterprise certification authority and how to remove all related objects = http://support.microsoft.com/kb/889250
  2. Checklist: Decommissioning a certification authority = http://technet.microsoft.com/en-us/library/cc786938(WS.10).aspx
  3. Uninstall a certification authority = http://technet.microsoft.com/en-us/library/cc785971(WS.10).aspx
  4. Processing Domain Controller Certificates = http://technet.microsoft.com/en-us/library/cc787009(WS.10).aspx