none
Certificate Revocation Using CertUtil Utility RRS feed

  • Question

  • Hi,

    Whenever I'm trying to revoke a certificate using certutil command utility its throwing following error

    Input:

    C:\Users\administrator> certutil -config "MachineName\CAName" -revoke certificateSerialNumber  revocationReason

    Error:

    CertUtill : -revoke command FAILED: 0x8007007e(WIN32/HTTP:126 ERROR_MOD_NOT_FOUND)

    CertUtill : The specified module could not be found

    Tuesday, July 9, 2019 10:44 AM

Answers

  • Hi,
    Apologize for the late reply.

    After a lot of test and research, I think that Windows clients (such as win 7, win 8 or win 10) do not support some management of CA functions, such as revoking certificates and view certificate information.

    For example, we can see the following test in my test environment, the clients are Win 7 and Win 10.

    1. On the Win 7, i can not revoke certificate.




    2. 
    On the Win 10, i can not revoke certificate.




    3. On Win 10, 
    I can ran the following command alone.

    1)When I run the command:
    certutil -config "DC2019\B-DC2019-CA" 

    2)When I run the command: certutil -revoke 650000003239bbf62395a5c084000000000032


    5
    . On win 10, I can run -getconfig and -ping, but I can not run -revoke and -view.

    So i think on client, we can run part of these commands about certutil.




    6. On server, we can run most or maybe all these commands about certutil.

    Windows server 2016.




    Windows server 2012.




    The above is my test result, I am sorry, but I can not find the information related it on Microsoft official article.


    When I run the following command on server, I can see so much information or all information about the CA.

    certutil -config "DC2019\B-DC2019-CA" -view

    I think we should not see all these CA information with the command on clients.



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 18, 2019 7:17 AM
    Moderator

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    Do we run the above command on CA server? 

    We can troubleshoot as below:

    1. Check whether we can run the same command with PowerShell.

    2. Check whether we can run certutil.exe and certutil /? on this machine (open cmd and run as Administrator).

    3. Check if we can see certutil.exe under C:\Windows\System32



    I can run certutil.exe and certutil /? on my CA server as below:


    And I can revoke the certificate with the command you provided.






    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 10, 2019 8:25 AM
    Moderator
  • Thanks Daisy Zhou<abbr class="affil"></abbr>,

    I'm not executing this command on CA Machine but, I'm trying it from a CEP Joined System.

    Wednesday, July 10, 2019 10:46 AM
  • Hi,
    You are welcome!

    Would you please tell me if we check the above 3 points? And tell me the result.

    Your feedback is very useful for the further research. Please feel free to let me know if you have additional questions.

    Thank you very much.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 11, 2019 3:00 AM
    Moderator
  • Hi Daisy Zhou,

    The Solution provided by you is working perfectly on CA Machine i.e executing the commands on ca machine itself.

    But the problem is that i'm not able to revoke a certificate from CEP joined system using same commands.

    Thanks,

    Janadhri


    • Edited by JanadhriRaj Thursday, July 11, 2019 3:15 AM
    Thursday, July 11, 2019 3:12 AM
  • Hi,

    It seems that our operating system itself lacks the corresponding module file.
    Or maybe we did not update in time, then it results in a file without the corresponding module of the operating system.

    Please check:

    1. What operating system version is our CEP joined system?
    2. Check whether we can run the same command with PowerShell.
    3. Check whether we can run certutil.exe and certutil /? on this machine (open cmd and run as Administrator).
    4. Check if we can see certutil.exe under C:\Windows\System32


    I can run the same command (with cmd or powershell) on other member server 2016.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 12, 2019 11:14 AM
    Moderator
  • Hi Daisy Zhou ,

    I Cross Verified the above suggested points in my setup environment.

    1. Operating System on  CEP Joined System is "WINDOWS 10".

    2. Operating System on  CA System is "WINDOWS SERVER 2012 R2".

    3. I'm able to run the same command on powershell ie on CA Machine and CEP Joined Machine

    4. I'm able to run the certutil.exe and certutil /? these commands on my CEP Joined System.

    5. certutil.exe utility is present in C:\Windows\System32.

    Regards,

    Janadhri.

    Saturday, July 13, 2019 3:12 AM
  • Hi,
    I can reproduce the same error message with the above command on one of my Win10 client.





    I will continue to test and research, and I will reply you here if there is any update. Thank you for your understanding and support.



    Best Regards,
    Daisy Zhou



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 15, 2019 11:00 AM
    Moderator
  • Hi Daisy,

    Thanks for the reply. Will be waiting for further updates.

    Regards,

    Janadhri

    Tuesday, July 16, 2019 2:53 AM
  • Hi,
    Apologize for the late reply.

    After a lot of test and research, I think that Windows clients (such as win 7, win 8 or win 10) do not support some management of CA functions, such as revoking certificates and view certificate information.

    For example, we can see the following test in my test environment, the clients are Win 7 and Win 10.

    1. On the Win 7, i can not revoke certificate.




    2. 
    On the Win 10, i can not revoke certificate.




    3. On Win 10, 
    I can ran the following command alone.

    1)When I run the command:
    certutil -config "DC2019\B-DC2019-CA" 

    2)When I run the command: certutil -revoke 650000003239bbf62395a5c084000000000032


    5
    . On win 10, I can run -getconfig and -ping, but I can not run -revoke and -view.

    So i think on client, we can run part of these commands about certutil.




    6. On server, we can run most or maybe all these commands about certutil.

    Windows server 2016.




    Windows server 2012.




    The above is my test result, I am sorry, but I can not find the information related it on Microsoft official article.


    When I run the following command on server, I can see so much information or all information about the CA.

    certutil -config "DC2019\B-DC2019-CA" -view

    I think we should not see all these CA information with the command on clients.



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 18, 2019 7:17 AM
    Moderator
  • Hi Daisy Zhou,

    Thanks for so much of research and the replay.

    I Can use Windows Server 2012 R2/2016 server as client system to achieve the intended functionality.

    Thanks and regards,

    Janadhri

    Monday, July 22, 2019 5:21 AM
  • Hi,
    You are welcome!

    Thank you for your update and marking my reply as answer. I’m very glad that the information is helpful.
     
    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

    Have a nice day!



     
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 22, 2019 5:59 AM
    Moderator