How can I revoke all certificates issued to specific devices from an Internal CA?

Subhash Kumar Mahato 265 Reputation points
2024-10-16T09:29:40.1033333+00:00

Hi,

I am looking for assistance on revoking multiple certificates issued to a list of devices from our Enterprise Certificate Authority (CA).

I have a list of device identifiers and need to revoke all certificates associated with those devices. I attempted to use the certutil.exe tool to revoke a specific certificate, but I encountered the following error:

certutil.exe -config $CAName -revoke 28 0
Revoking "28" -- Reason: Unspecified
ICertAdmin::RevokeCertificate: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: -revoke command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.

Additional Considerations:

  • The devices in question are currently not connected to the internal network, I want to execute the cmdlets or script in the Internal CA or any Other member server.
  • I have checked, I didn't get the serial number of the certificate using the certutil.exe tool, here I'm trying using the request ID.
  • I want to ensure that all relevant certificates are revoked to maintain security.

It would be very helpful if you could suggest how to revoke the certificates using scripts in bulk. I can revoke the certificates using the Certificate Authority, but there are so many certificates that doing it one by one is not feasible.

Any guidance or solutions would be greatly appreciated!

Thanks.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clément BETACORNE 2,496 Reputation points
    2024-10-17T08:05:24.8+00:00

    Hello,

    Based on your description I think you should give certutil -revoke the serialnumber of the certificate you want to revoke.

    You can retrieve it via this code

    certutil -view -out "RequestID,SerialNumber,RequesterName,RequestType,NotAfter,CommonName,Certificate Template" csv > "$env:TEMP\tempcerts.csv";
    

    If possible try to execute it directly on your issuing PKI.

    PKI Solutions offer a PowerShell Module that maybe can help you on that also
    https://github.com/PKISolutions/PSPKI

    Regards,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.