Share via

using command - certutil -deleterow (date) request - not working in some environments

Eldar Habibzade 1 Reputation point
2022-03-14T03:13:20.49+00:00

140322

According to my experience

How to delete multiple - more than 1.000 rows in Active Directory Certificate Sercvices Jet Database - Failed requests

using command - certutil -deleterow (date) request - not working in some environments - the command stands for weeks, and don't do nothing,

because of that i'm using certutil -deleterow (rowid) request multiple times.

1.download pspki module from sysadmins.lv
2.install pspki module
using powershell unblock downloaded file

unblock-file pspki.3.7.2.nupkg

unpack it using any archivator

copy PSPKI folder to C:\Windows\System32\WindowsPowerShell\v1.0\Modules

after that run in powershell - import-module pspki

then run command

Get-CertificationAuthority -Name "Azerbaijan National Issuing Mobile CA01"|Get-FailedRequest -Filter "RequestID -gt 1" -Property "RowId" >> FailedRequest.txt

now you've got a file (FailedRequest.txt) which contains failed requests numbers with many other properties

download and install python from

https://www.python.org/ftp/python/3.10.2/python-3.10.2-amd64.exe

copy FailedRequest.txt file to C:\Users\xxx\AppData\Local\Programs\Python\Python39 directory

open this file (FailedRequest.txt) and save it as ANSI encoding

now use this python script to get from this file only lines with RowId string

import re
with open('FailedRequest.txt') as source, open('output.txt', 'a') as destination:
www = source.read()
for string in www.split('\n'):
wert = "".join(re.findall('(^.RowId.$)',string))
if wert:
destination.write(wert+'\n')

open newly created file output.txt with subime text redactor

now we will add request - word at the end of each line

in the menu use Find->Replace - in the Find bar place $ - character this means - end of line,
in the replace bar enter - request -, then press Replace All

now we will replace - RowId - word with - certutil -deleterow - in front of each line

in the menu use Find->Replace - in the Find bar place RowId - select and copy it from file,
in the replace bar enter - certutil -deleterow , then press Replace All

now at the end we should got - certutil -deleterow 862552 request - this like line .

now go to CA server and take backup of the CA - certsrv.msc-stop CA -start CA -backup CA - select backup ca database and log

the open powershell - select and copy from this created file all lines and paste them to powershell console

if something will go wrong - restore CA from backup

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 40,106 Reputation points
    2022-03-16T19:46:36.22+00:00

    Hi @Eldar Habibzade

    If the outstanding certificates are processed by the various Public Key Infrastructure client computers, validation will fail, and those certificates will not be used.

    This step-by-step article describes how to decommission a Microsoft Windows enterprise CA, and how to remove all related objects from the Active Directory directory service.

    How to decommission a Windows enterprise certification authority and remove all related objects
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

    Hope this resolves your Query!!

    --
    --If the reply is helpful, please Upvote and Accept it as an answer–

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.