On a client PC running XP SP3 with CertUtil.exe installed it is possible to revove a certificate on a 2008 PKI server using the following command: certutil.exe -v -config "VMPKI.ThisServer.com\ThisServer Root CA" -revoke 17747F660000000001A9 Using the same command on a Windows 7 client pc fails with the following error: CertUtil: -revoke command FAILED: 0x80040154 (-2147221164) CertUtil: Class not registered On both PCs it is possible to request a new certificate, therefore the user account on the client PC probably has the correct permissions. Can you help with an answer why the Windows 7 CertUtil.exe fails in this way ?

Hi, Please install the Windows 7 Remote Server Administration Tools (RSAT) from here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en Let me know if that resolves the issue. Thanks, John

Hi John, No success with that suggestion. After installing RSAT for Win7 the result is the same: certutil.exe -v -config "VMPKI.ThisServer.com\ThisServer Root CA" -revoke 17747F660000000001A9 CertUtil: -revoke command FAILED: 0x80040154 (-2147221164) CertUtil: Class not registered A similar problem happens on other Win 7 machines, i.e. this problem is not specific to this PC. Alan

John et al, Found the solution. The answer is sadly obvious now that I know, probably should have read the manual in a little more detail, the manual says .... Installing or Removing Remote Server Administration Tools for Windows 7 http://technet.microsoft.com/en-us/library/ee449483%28WS.10%29.aspx#BKMK_installui The installation section reports how to enable the relevent remote server administration tools. In my case I followed these steps: Click Start , click Control Panel , and then click Programs . In the Programs and Features area, click Turn Windows features on or off . If you are prompted by User Account Control to allow the Windows Features dialog box to open, click Continue . In the Windows Features dialog box: Expand Remote Server Administration Tools . Expand Role Admin Tools . Expand Active Directory Certificate Services Tools . Check Certificate Authority Tools. OK. Following the above sequence and running the CertUtil.exe command again this is the result: C:\>certutil.exe -v -config "VMPKI.ThisServer.com\ThisServer Root CA" -revoke 17747F660000000001A9 Revoking "17747f660000000001a9" -- Reason: Unspecified CertUtil: -revoke command completed successfully . W^5, which was what was wanted. :) Thank you for your suggestion, it helped to know I was on the right track. Alan

Hi, What version of Windows 7 are you running? 1. Copy output from: “systeminfo | findstr /B /C:"OS Name" /C:"OS Version"” Also, please gather a certutil log by running the following commands: 1. Enable certutil logging: "certutil -setreg ca\debug 0xffffffe3" 2. Attempt to revoke a certificate as noted above 3. Disable certutil logging: "certutil -delreg ca\debug" 4. Reply here with the relevant entries in the file: “%windir%\certutil.log” Thanks, John