How can I revoke all certificates issued to specific devices from an Internal CA?

Question

Hi,

I am looking for assistance on revoking multiple certificates issued to a list of devices from our Enterprise Certificate Authority (CA).

I have a list of device identifiers and need to revoke all certificates associated with those devices. I attempted to use the certutil.exe tool to revoke a specific certificate, but I encountered the following error:

certutil.exe -config $CAName -revoke 28 0
Revoking "28" -- Reason: Unspecified
ICertAdmin::RevokeCertificate: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: -revoke command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.

Additional Considerations:

• The devices in question are currently not connected to the internal network, I want to execute the cmdlets or script in the Internal CA or any Other member server.
• I have checked, I didn't get the serial number of the certificate using the certutil.exe tool, here I'm trying using the request ID.
• I want to ensure that all relevant certificates are revoked to maintain security.

It would be very helpful if you could suggest how to revoke the certificates using scripts in bulk. I can revoke the certificates using the Certificate Authority, but there are so many certificates that doing it one by one is not feasible.

Any guidance or solutions would be greatly appreciated!

Thanks.

Answer 1

Hello,

Based on your description I think you should give certutil -revoke the serialnumber of the certificate you want to revoke.

You can retrieve it via this code

certutil -view -out "RequestID,SerialNumber,RequesterName,RequestType,NotAfter,CommonName,Certificate Template" csv > "$env:TEMP\tempcerts.csv";

If possible try to execute it directly on your issuing PKI.

PKI Solutions offer a PowerShell Module that maybe can help you on that also
https://github.com/PKISolutions/PSPKI

Regards,