===== Вывод из эксплуатации центра сертификации =====

Существует статья от MS, описывающая полный процесс декомиссии.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

Здесь вынесена выдержка о том, как можно почистить присутствие бывшего ЦС через ADSI-edit.

:!: //При этом, подключаться надо не к default naming context, а к configuration, как показано на скрине.//

;#;
{{::ad_cs_removal_adsi.jpg?direct&400|}}
;#;


Нужно удалять следующие атрибуты в соответствующих местах расположения.

**certificateAuthority object**

Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
Contains the CA certificate for the CA.
Published Authority Information Access (AIA) location.

**crlDistributionPoint object**

Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.\\
Contains the CRL periodically published by the CA.\\
Published CRL Distribution Point (CDP) location.\\

**certificationAuthority object**

Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.\\
Contains the CA certificate for the CA.\\

**pKIEnrollmentService object**

Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.\\
Created by the enterprise CA.\\
Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.

{{tag>Certificates PKI ADCS Microsoft Windows}}