Вывод из эксплуатации центра сертификации
Существует статья от MS, описывающая полный процесс декомиссии.
Здесь вынесена выдержка о том, как можно почистить присутствие бывшего ЦС через ADSI-edit.
При этом, подключаться надо не к default naming context, а к configuration, как показано на скрине.
Нужно удалять следующие атрибуты в соответствующих местах расположения.
certificateAuthority object
Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain. Contains the CA certificate for the CA. Published Authority Information Access (AIA) location.
crlDistributionPoint object
Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Contains the CRL periodically published by the CA.
Published CRL Distribution Point (CDP) location.
certificationAuthority object
Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Contains the CA certificate for the CA.
pKIEnrollmentService object
Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Created by the enterprise CA.
Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.