Getting rid of my Certification Authority

We don't really use this anyway, although some people did, in the past. I
have to decomission the hardware on which the CA lives and for the near-term,
have decided to just not establish another.
I have a couple of questions: First of all, if somebody, somewhere, has an
encrypted folder (they all swear they don't, but I can't go poking around to
make sure), will they lose access to their files or will their files simply
become unencrypted when I decomission the CA?
Secondly, when I look at issued certificates, I see some of my server - most
notably, my DCs. I don't know exactly why they've requested certificates,
but what will happen to them if I decomission the CA?

Thanks for any advice!
Mark

Brian
Sat Apr 26 07:18:12 CDT 2008

inline...
"justmark" <justmark@discussions.microsoft.com> wrote in message
news:FEC616FF-D1C7-4242-96F8-9CE86F03E978@microsoft.com...
> We don't really use this anyway, although some people did, in the past. I
> have to decomission the hardware on which the CA lives and for the
> near-term,
> have decided to just not establish another.
> I have a couple of questions: First of all, if somebody, somewhere, has
> an
> encrypted folder (they all swear they don't, but I can't go poking around
> to
> make sure), will they lose access to their files or will their files
> simply
> become unencrypted when I decomission the CA?
If decommissions, and you have not maintained the KRA certificate and
private key or the DRA certificate and private key, they are out of luck.
Decommissioning a CA does not decrypt files.

> Secondly, when I look at issued certificates, I see some of my server -
> most
> notably, my DCs. I don't know exactly why they've requested certificates,
> but what will happen to them if I decomission the CA?

They will fail for LDAP/SSL connections. You should remove all of the DC
certs
certutil -dcinfo DELETEALL

>
> Thanks for any advice!
> Mark

justmark
Sat Apr 26 08:09:00 CDT 2008

"Brian Komar (MVP)" wrote:

inline...

> If decommissions, and you have not maintained the KRA certificate and
> private key or the DRA certificate and private key, they are out of luck.
> Decommissioning a CA does not decrypt files.

Okay, then is there a way I can test this? For instance, can I stop a CA
service on the server to "simulate" removal of the CA? Something that I can
test and then if somebody screams (unlikely, but you never know), I can just
turn it back on and dig in further to help them get their stuff unencrypted?


> They will fail for LDAP/SSL connections. You should remove all of the DC
> certs
> certutil -dcinfo DELETEALL

Running this on the CA will remove them and I'll be okay?

Thanks for the help,
Mark

Brian
Sat Apr 26 12:10:09 CDT 2008

You could just stop the service to simulate the removal.
ANd yes, you can run the command from the CA.
If there are multiple domains, the command must be run on one domain member
(does not have to be a CA) as a member of that domain for each domain
Brian

"justmark" <justmark@discussions.microsoft.com> wrote in message
news:5997212A-30DB-43B3-BAC9-69A6C872972D@microsoft.com...
> "Brian Komar (MVP)" wrote:
>
> inline...
>
>> If decommissions, and you have not maintained the KRA certificate and
>> private key or the DRA certificate and private key, they are out of luck.
>> Decommissioning a CA does not decrypt files.
>
> Okay, then is there a way I can test this? For instance, can I stop a CA
> service on the server to "simulate" removal of the CA? Something that I
> can
> test and then if somebody screams (unlikely, but you never know), I can
> just
> turn it back on and dig in further to help them get their stuff
> unencrypted?
>
>
>> They will fail for LDAP/SSL connections. You should remove all of the DC
>> certs
>> certutil -dcinfo DELETEALL
>
> Running this on the CA will remove them and I'll be okay?
>
> Thanks for the help,
> Mark

justmark
Mon Apr 28 08:54:02 CDT 2008

Thanks Brian!

Mark




"Brian Komar (MVP)" wrote:

> You could just stop the service to simulate the removal.
> ANd yes, you can run the command from the CA.
> If there are multiple domains, the command must be run on one domain member
> (does not have to be a CA) as a member of that domain for each domain
> Brian

justmark
Wed Apr 30 09:49:01 CDT 2008

Hi Brian,

Just a followup question on this - I've turned off the CA service, but from
what I see, nothing has changed. Before doing that, I'd created a folder on
my desktop on my PC and put one file into it. I then encrypted the folder.
That's still encrypted and I can still open it. I went to the CA manager and
revoked (cease of operation) my new certificate (before I killed the service).

I'm just wondering how long I should expect it to take to show some reaction
to all of this? I want to test getting rid of my CA entirely but need to be
sure that if somebody actually has an encrypted folder, they'll know - then
I'll just turn the service back on and deal with it. But if what I've done
so far has no effect, I can't be sure about any of this.

Any advice would be very much appreciated!

Thanks,
Mark


"Brian Komar (MVP)" wrote:

> You could just stop the service to simulate the removal.
> ANd yes, you can run the command from the CA.
> If there are multiple domains, the command must be run on one domain member
> (does not have to be a CA) as a member of that domain for each domain
> Brian

Paul
Wed Apr 30 10:52:50 CDT 2008

On Wed, 30 Apr 2008 07:49:01 -0700, justmark wrote:

> Hi Brian,
>
> Just a followup question on this - I've turned off the CA service, but from
> what I see, nothing has changed. Before doing that, I'd created a folder on
> my desktop on my PC and put one file into it. I then encrypted the folder.
> That's still encrypted and I can still open it. I went to the CA manager and
> revoked (cease of operation) my new certificate (before I killed the service).
>
> I'm just wondering how long I should expect it to take to show some reaction
> to all of this? I want to test getting rid of my CA entirely but need to be
> sure that if somebody actually has an encrypted folder, they'll know - then
> I'll just turn the service back on and deal with it. But if what I've done
> so far has no effect, I can't be sure about any of this.
>
> Any advice would be very much appreciated!

A couple of things here. First of all, have you checked to see if any EFS
certificates have actually been issued in the first place? Just because you
have or had a CA up and running, that does not mean that it has issued any
EFS certificates.

Secondly if you have issued EFS certificates are they based on the default
version 1 Basic EFS certificate template? If so then you really don't need
to worry about the CA being available as you won't have the private key of
any issued certificates archived.

Thirdly you need to understand how revocation works with EFS. The only time
that EFS will check for certificate revocation is when one is trying to
share an EFS encrypted file with another user. EFS will check to see
whether or not that user's certificate has been revoked. If it has been you
won't be able to share the encrypted file with that user. If you revoked
your EFS certificate you will be able to use it to encrypt new content as
long as it is still time valid and you'll be able to use it to decrypt
existing content forever.

You seem to be under the impression that their is a close tie-in with a CA
and EFS and there really is not.

--
Paul Adare
http://www.identit.ca
Computer problems? Have you checked the loose nut in front of the keyboard?

justmark
Wed Apr 30 12:45:01 CDT 2008

"Paul Adare" wrote:

> A couple of things here. First of all, have you checked to see if any EFS
> certificates have actually been issued in the first place? Just because you
> have or had a CA up and running, that does not mean that it has issued any
> EFS certificates.


Hi Paul!

Well, my CA snapin tells me that I've issued several Basic EFS (EFS)
certificates to some of my users. They're assuring me that they have no
encrypted files anymore. I also have several Domain Controller certificates.



> Secondly if you have issued EFS certificates are they based on the default
> version 1 Basic EFS certificate template? If so then you really don't need
> to worry about the CA being available as you won't have the private key of
> any issued certificates archived.

I think what you're asking is what I'm seeing - Basic EFS (EFS) is the type
issued in my Issued Certificates. I created a test folder on my PC and
encrypted the contents and it generated another of these for me. Admittedly,
I don't know much about this - the reason I'm asking such questions - the
whole process concerns me because two years ago (before my time so I don't
know the details) one of our users had encrypted files and something happened
and she was never again able to access them. When I remove the CA and
decommission this server, I don't want that to happen to me :-(

>
> Thirdly you need to understand how revocation works with EFS. The only time
> that EFS will check for certificate revocation is when one is trying to
> share an EFS encrypted file with another user. EFS will check to see
> whether or not that user's certificate has been revoked. If it has been you
> won't be able to share the encrypted file with that user. If you revoked
> your EFS certificate you will be able to use it to encrypt new content as
> long as it is still time valid and you'll be able to use it to decrypt
> existing content forever.
>
> You seem to be under the impression that their is a close tie-in with a CA
> and EFS and there really is not.


You're right - I'm worried about this whole process and not sure how it ties
together. I need to get rid of the server hosting CA and need to clean up
anything in AD related to this CA's existence. If I just go in and uninstall
the CA and do a cleanup, I want to be sure that I won't cause a problem.
From what I hear, you don't think I'll have any issues?

Thanks,
Mark