UGTS Document #16 - Last Modified: 8/29/2015 3:23 PM
Cleaning out Certificate Services data from Active Directory

Certificate services integrates heavily into Active Directory. Most of the objects created are hidden from casual view, but you can see and edit them manually if you need to do so using either Active Directory Sites & Services (ADSS), or AdsiEdit.msc (ADSIEDIT).

Using ADSS, you can view the objects created by first selecting the top node on the left tree pane labeled 'Active Directory Sites and Services', and then go to the menu, View, and select 'Show Services Node' (the menu option is not shown unless you first select the top tree node on the left, which can be confusing). Then drill down to Services, Public Key Services. In ADSIEDIT, the same information is stored under Configuration, Services, Public Key Services.

If you are manually removing Certificate Services from a server, most of the configuration should be first made with the certutil utility, and the remainder of the cleanup can be done manually through these two tools.

However, there is one location where certificates are stored which can be very hard to locate: NTAuthCertificates. To clean out this object, use ADSIEDIT, then browse to Configuration, Services, Public Key Services, NTAuthCertificates, right-click, Properties. Then view the attribute 'cACertificate'. This is a multi-valued attribute, one for each installed root certificate in the domain. Each of these values is larger than 1KB, so ADSIEDIT does not show you the whole value. To view it, first install a hex editor on the server such as HxD. Then double-click the value, and at the screen which shows 'Octet String Attribute Editor', paste in the path to the editor, such as C:\Program Files\HxD\hxd.exe, and then press Edit. When you find out which value corresponds to which certificate, you can delete the values individually from this attribute.