CertUtil.exe on Windows7 Admin Of 2008 PKI Server
On a client PC running XP SP3 with CertUtil.exe installed it is possible to revove a certificate on a 2008 PKI server using the following command:
certutil.exe -v -config "VMPKI.ThisServer.com\ThisServer Root CA" -revoke 17747F660000000001A9
Using the same command on a Windows 7 client pc fails with the following error:
CertUtil: -revoke command FAILED: 0x80040154 (-2147221164)
CertUtil: Class not registered
On both PCs it is possible to request a new certificate, therefore the user account on the client PC probably has the correct permissions.
Can you help with an answer why the Windows 7 CertUtil.exe fails in this way ?
October 17th, 2010 8:12pm
Hi,
Please install the Windows 7 Remote Server Administration Tools (RSAT) from here:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
Let me know if that resolves the issue.
Thanks,
John
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2010 11:43am
Hi John,
No success with that suggestion.
After installing RSAT for Win7 the result is the same:
certutil.exe -v -config "VMPKI.ThisServer.com\ThisServer Root CA" -revoke 17747F660000000001A9
CertUtil: -revoke command FAILED: 0x80040154 (-2147221164)
CertUtil: Class not registered
A similar problem happens on other Win 7 machines, i.e. this problem is not specific to this PC.
Alan
October 19th, 2010 4:30pm
John et al,
Found the solution.
The answer is sadly obvious now that I know, probably should have read the manual in a little more detail, the manual says ....
Installing or Removing Remote Server Administration Tools for Windows 7
http://technet.microsoft.com/en-us/library/ee449483%28WS.10%29.aspx#BKMK_installui
The installation section reports how to enable the relevent remote server administration tools.
In my case I followed these steps:
Click Start , click Control Panel , and then click
Programs .
In the Programs and Features area, click Turn Windows features on or off .
If you are prompted by User Account Control to allow the Windows Features dialog box to open, click
Continue .
In the Windows Features dialog box:
Expand Remote Server Administration Tools .
Expand Role Admin Tools .
Expand Active Directory Certificate Services Tools .
Check Certificate Authority Tools.
OK.
Following the above sequence and running the CertUtil.exe command again this is the result:
C:\>certutil.exe -v -config "VMPKI.ThisServer.com\ThisServer Root CA" -revoke 17747F660000000001A9
Revoking "17747f660000000001a9" -- Reason: Unspecified
CertUtil: -revoke command completed successfully .
W^5, which was what was wanted. :)
Thank you for your suggestion, it helped to know I was on the right track.
Alan
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2010 6:09pm
Hi,
What version of Windows 7 are you running?
1.
Copy output from: “systeminfo | findstr /B /C:"OS Name" /C:"OS Version"”
Also, please gather a certutil log by running the following commands:
1.
Enable certutil logging: "certutil -setreg ca\debug 0xffffffe3"
2.
Attempt to revoke a certificate as noted above
3.
Disable certutil logging: "certutil -delreg ca\debug"
4.
Reply here with the relevant entries in the file: “%windir%\certutil.log”
Thanks,
John
October 19th, 2010 6:18pm