There may be times when you need to uninstall a certification authority (CA). However, clients will not be able to send requests to this CA and some applications that depend on your public key infrastructure (PKI) may not function properly after a CA that is needed to verify the validity and revocation status of a certificate has been uninstalled.

If you are permanently decommissioning the CA before its expected expiration date, then the CA certificate should be revoked from its parent CA for a certificate revocation reason of "Cease of operation." If the CA is a self-signed root CA, then all certificates that have not expired should be revoked and a certificate revocation list (CRL) should be generated with the same reason. This will indicate that the certificates are no longer valid because the CA has been decommissioned.

When uninstalling an enterprise CA, it is important that it be uninstalled properly to ensure that its CA enrollment object is removed from Active Directory Domain Services (AD DS). Failure to do so may result in AD DS clients continuing to attempt to enroll against that CA. If an enterprise CA cannot be uninstalled normally, the Enterprise PKI snap-in can be used to manually remove the CA objects from AD DS.


You should back up the entire server before uninstalling the CA.

Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

To remove unused certificate-related objects from Active Directory containers
  1. Open the Enterprise PKI snap-in.

  2. In the console tree, right-click Enterprise PKI, and then click Manage AD Containers.

  3. Select one of the containers, and select one or more objects within that container.

  4. Click View to examine the contents of each object if you are uncertain whether any of the selected objects pertain to the CA that you are uninstalling.

  5. Click Remove.

  6. Select a different container, and repeat steps 3 through 5 until you have removed all objects that you no longer need.