Securing communications via digital certificates is among the most secure processes used by organizations today. The use of public key cryptography makes certificates uncrackable and can be used to protect countless network operations.
Of course, any network that is not progressing is falling behind, and at some point it needs to be updated. There may be an instance where the need to replace or delete an old Certificate Authority (CA) becomes a priority, so we’ll explore the importance and process of decommissioning an out of date CA.
Importance of CA Organization
As with most things in life, keeping your network components (in this case CA) organized is an excellent strategy for longevity and high performance. Over time, this might include replacing your CA because you want to upgrade to a new vendor, no longer have need of an older system, or a myriad of other reasons you may have. It’s vital to fully delete an old CA because of the confusion it can cause within your network if left untouched.
One of the most immediate issues that network users will run into if a CA is deleted incorrectly is difficulty with authentication. The CA signs certificates and during the authentication process and that signature is checked to ensure the certificate comes from a trusted CA source. If that CA signature is no longer valid, users will be unable to authenticate and will be confused because they changed nothing about their process and are unable to get online.
It’s especially important to properly delete a Root CA from the network. The root CA signs certificates distributed to end users for authentication and those certificates can be set to last for years. If the root CA is not properly deleted and certificates are not revoked, you could end up in a situation where an old root CA is still technically active and users that have a certificate signed by it can access the network when they should be denied. This can lead to serious disruption in service or a potential security breach.
A key step in cleaning an old CA is eliminating the CA enrollment object so users can no longer attempt to enroll for a certificate from that CA. If an old CA still allows users to attempt to enroll for a certificate, it’ll cause huge slowdowns during the transition to a new CA. This is especially important for Active Directory (AD) clients as the AD will automatically attempt to enroll them for a certificate if the enrollment object is still active.
Cleaning and Deleting an Outdated CA
The process of deleting an old CA and cleaning the network of it isn’t an overly complex process, but it does require accuracy. If certain steps are not taken and details are missed, it will lead to many confused users and security vulnerabilities left open.
Below we’ve detailed the overarching steps to successfully deleting a CA from your network.
- Revoke all certificates tied to the CA
- There can be no lingering certificates in the hands of servers, users, devices, etc.
- Add all certificates to a Certificate Revocation List (CRL)
- Ensure that the list is published and tested
- Cancel any pending certificate requests
- No new certificates can be issued that are signed by this CA
- Eliminate certificate services related to the CA
- This includes operations such as deleting the private key and removing certificate templates associated with the CA
The process may not be quick, but thoroughness does reflect positive results. If you completely remove everything associated with the CA, you will have no issues replacing it. While the intricacies of the process may vary between different CA vendors, the overall steps to complete the deletion remain the same. Linked here is a detailed look at the CA removal process for those with a Windows-based CA.
Top of the Line Certificate Services with SecureW2
If you’re looking to delete an old CA and replace it with something new, SecureW2’s PKI services are second to none for user experience and security. Our turnkey PKI can rapidly create a CA to be used for authentication, or easily integrate with network infrastructure from any major vendor, including AD CS. So if you’re looking for a replacement for certificate services from AD, look no further than SecureW2.
SecureW2’s management portal allows for admins to easily view and manage all certificates on the network. Revocation is a rapid process, or you can view all authentication and enrollment events and remotely troubleshoot any issues users might run into.
One of the main issues that organizations run into with certificates is how to efficiently distribute them to end users. The JoinNow onboarding solution allows users to self-configure any device in a matter of minutes and be ready for authentication immediately. It assists immensely in making the entire PKI services extremely scalable. It can be easily used by an organization of any size and grows with you over time.
SecureW2 offers a huge range of certificate services, from RADIUS authentication and so much in between. If you need to move forward from an outdated CA, SecureW2 has you covered with a variety of options and certificate functions. Check out our pricing page to see if our PKI could fit your network’s needs.