none
Certificate Authority Recovery

    Question

  • I accidentally revoked the wrong certificate with reason "unspecified", I realize that this was not unrevocable.  I restored a CA database backup from last week, but was wandering if there was anyway to import the certificates to the CA that were made since the backup that was restored from last week. 
    Tuesday, April 15, 2014 3:07 PM

Answers

  • you can use "certutil -importcert" to import issued certificates that are not included in the backup set.

    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell FCIV tool.

    Wednesday, April 16, 2014 4:07 PM
  • I have quickly confirmed your scenario in lab and agree with Vadims Podans.

    Fortunately, (in your case - not forutunately) one is not allowed to unrevoke certificates after Unspecified Reason code. In that case you have two options: either reissue certificate and replace it on your servers/clients or restore CA with option to restore DB - this is what you did.

    Now, if in the meantime (time from when you have your DB backup) you issued certificates, they will remain valid even after restoring CA DB. However, to see them in Issued Certificates in Certification Authority console (and also be able to revoke them with GUI), on the CA execute 

    certutil -importcert certificate.cer

    You should specify the CAComputerName or CANme with -config parameter. Please also remember, that you can -importcert only certificates that have been issued by your CA. If not you would see:

    CertUtil: -ImportCert command FAILED: 0x800b0107 (-2146762489 CERT_E_ISSUERCHAINING)
    CertUtil: A parent of a given certificate in fact did not issue that child certificate.


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Thursday, April 17, 2014 8:40 AM

All replies

  • you can use "certutil -importcert" to import issued certificates that are not included in the backup set.

    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell FCIV tool.

    Wednesday, April 16, 2014 4:07 PM
  • I have quickly confirmed your scenario in lab and agree with Vadims Podans.

    Fortunately, (in your case - not forutunately) one is not allowed to unrevoke certificates after Unspecified Reason code. In that case you have two options: either reissue certificate and replace it on your servers/clients or restore CA with option to restore DB - this is what you did.

    Now, if in the meantime (time from when you have your DB backup) you issued certificates, they will remain valid even after restoring CA DB. However, to see them in Issued Certificates in Certification Authority console (and also be able to revoke them with GUI), on the CA execute 

    certutil -importcert certificate.cer

    You should specify the CAComputerName or CANme with -config parameter. Please also remember, that you can -importcert only certificates that have been issued by your CA. If not you would see:

    CertUtil: -ImportCert command FAILED: 0x800b0107 (-2146762489 CERT_E_ISSUERCHAINING)
    CertUtil: A parent of a given certificate in fact did not issue that child certificate.


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Thursday, April 17, 2014 8:40 AM
  • Hi,

    Do you need further assistances on this issue by now?

    If yes, please feel free to let us know.

    Have a nice day!

    Amy

    Monday, April 21, 2014 4:45 AM
    Moderator
  • This solved my problem, thanks for the help.
    Monday, April 21, 2014 1:33 PM
  • Hi,

    Glad to hear that it worked!

    Please feel free to let us know if you encounter any issues in the future.

    Best Regards,

    Amy Wang

    Tuesday, April 22, 2014 2:42 AM
    Moderator