MicrosoftMicrosoftYou could edit this article, if you feel inclined:
https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx?wa=wsignin1.0&PageIndex=1&CommentPosted=true
Also, for anyone who finds this, I kept getting access denied with certutil –viewdelstore so I wrote the below script to ID the certs to remove and then just used adsiedit to remove the appropriate items from the directory attribute.
$NTAuthCertificates_Object = "CN=NTAuthCertificates,CN=Public Key Services,CN=Services," + (Get-ADRootDSE).configurationNamingContext
$cACertificate_Attribute = (Get-ADObject $NTAuthCertificates_Object -Properties cACertificate).cACertificate
$Output = foreach ($Certificate in $cACertificate_Attribute) {
$BytesInHex = $Certificate | ForEach-Object tostring x2
"" | Select-Object @{n='CertSubject';e={([Security.Cryptography.X509Certificates.X509Certificate2]$Certificate).Subject}} , @{n='First8Bytes'; e={($BytesInHex[0..7]) -join '\'}}
}
$Output