none
Certutil -deleterow cert Access is denied RRS feed

  • Question

  • I'm having trouble running certutil -deleterow %date% cert command.

    I get an access is denied error. I am a CA Admin and have rights to do it. I ran the command prompt as administrator.

    The weird thing is I can delete certs by ID.

    Since I'm unable to post images, here is a copied example:

    Running certutil -deleterow 4 Cert

    Deleting row ID: "4"
    Rows deleted: 1
    CertUtil: -deleterow command completed successfully.

    Running certutil -deleterow 3/11/2014 Cert

    Rows deleted: 0
    CertUtil: -deleterow command FAILED: 0x80070005 (WIN32: 5)
    CertUtil: Access is denied.

    Any help on understanding this would be great! Thank you!


    Tuesday, March 11, 2014 3:54 PM

Answers

  • Hi,

    As we can see in the link I post,  to delete multiple rows in the CA database (bulk deletion), the user must be both a CA administrator and a certificate manager. And this activity cannot be performed when role separation is enforced.

    Have your set role separation? If so, we should not do this action.

    And without role separation, the user should be both a CA admin and a certificate manager.

    Regards,

    Yan Li


    Regards, Yan Li

    Wednesday, March 26, 2014 3:01 AM
    Moderator

All replies

  • Hi,

    How about running CMD as administrator?

    And whether the account is also Certificate manager?

    There are five roles for CA, please go through the below link for more details:

    Implement Role-Based Administration

    http://technet.microsoft.com/en-us/library/cc732590.aspx

    Regards,

    Yan Li


    Regards, Yan Li

    Thursday, March 13, 2014 5:42 AM
    Moderator
  • Hi,

    Just checking in to see if the suggestion was helpful. Please let us know if you would like further assistance.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Regards, Yan Li

    Wednesday, March 19, 2014 5:32 AM
    Moderator
  • I have the rights that's why I was able to run the command by row and not by date and yes I ran the command prompt as admin. I still need help. Thank you.
    Thursday, March 20, 2014 4:04 PM
  • Hi,

    As we can see in the link I post,  to delete multiple rows in the CA database (bulk deletion), the user must be both a CA administrator and a certificate manager. And this activity cannot be performed when role separation is enforced.

    Have your set role separation? If so, we should not do this action.

    And without role separation, the user should be both a CA admin and a certificate manager.

    Regards,

    Yan Li


    Regards, Yan Li

    Wednesday, March 26, 2014 3:01 AM
    Moderator