Recently, I became alarmed when I noticed an unusual certificate (hereafter: "BadCert") in the Trusted Root Certification Authorities section of the Certificates MMC on a computer. I checked several computers in our environment and BadCert was installed as a Trusted Root Certification Authority on all of them. As I manage our PKI, this alarmed me because I definitely had nothing to do with it.
I was able to identify the host server that seems to be responsible for it as the name of BadCert has the server hostname in its common name. It is a Windows Storage Server 2012 R2 Storage Server Essentials server that one of our Systems Administrators (who also has Domain Admin rights) set up. I asked him about it, and he does not know how or why a certificate related to this server ended up being pushed out as a trusted root certification authority.
I determined that BadCert is not being pushed out via Group Policy. Instead, it appears to be published in Active Directory.* At this point, I believe the prudent thing to do is to remove/unpublish this certificate in Active Directory. The thing is, the originating server does not have the Active Directory Certificate Services role installed and does not have BadCert installed in its "Personal" certificate store. It does have the Windows Server Essentials Experience role installed but the configuration is not completed.
I'm not sure how to proceed. Can anyone assist?
* I see entries related to BadCert under "CN=Public Key Services,CN=Services,CD=Configuration,DC=<subdomain>,DC=<domain>,DC=<root>. For instance there are items related to BadCert under the "CN=AIA", "CN=CDP","CN=Certification Authorities", and "CN=KRA" RDNs under that container.