Trying to revoke locally-generated certificate : No local CA error


For some automated tests on my project, I need to revoke a certificate which has been generated locally by makecert.exe.

First, I generate a signer certificate and associated CRL using the following commands, and use certutil to install them to my machine

# Generate Signer Cert
makecert.exe -pe -n CN=SignerCert -r -sr LocalMachine -ss Root -a sha256 `
    SignerCert.cer -cy authority
certutil -installcert SignerCert.cer

# Set up a certificate revocation list for the CA cert above
makecert.exe -crl -n CN=SignerCert -r -sr LocalMachine SignerCert.crl
certutil -addstore Root SignerCert.crl

I then generate another cert for authentication, the one I would eventually like to revoke

makecert.exe -pe -n CN=AuthCert `
    -ir LocalMachine -is Root -ic SignerCert.cer `
    -sr LocalMachine -ss My -a sha256 AuthCert.cer

and install it as follows (via some powershell)

    $x509cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $certPath = Join-Path $pwd AuthCert.cer
    Set-Location "Cert:\LocalMachine\My"
    $cert = Get-ChildItem | Where-Object { $_.Thumbprint -eq $x509cert.Thumbprint}
    $cert = $cert[0]
    $cert.FriendlyName = $FriendlyName

So far so good. If I pull up certlm on my machine, I can see both SignerCert and AuthCert under "Personal > Certificates", SignerCert under "Trusted Root Certification Authorities > Certificates", and SignerCert under "Trusted Root Certification Authorities > Certificate Revocation Lists".

Now for the problematic operation. I would like to revoke AuthCert: certutil has a -revoke operation which I could use, so let's say I retrieve AuthCert's serial number and run the following command

> certutil -revoke 12345678
Revoking 12345678 -- Reason: Unspecified
ICertAdmin::RevokeCertificate: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: -revoke command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.

The RPC's probably unavailable because there's no local CA

> certutil -cainfo
CertUtil: No local Certification Authority; use -config option
CertUtil: No more data is available.

Can someone offer me a rundown on what's going on here and pointers as to how I can successfully revoke the cert?

asked on Super User Feb 19, 2021 by bumbling-tadpole

1 Answer


The command is meant to be used with AD Certificate Services, and it doesn't work otherwise because without AD Certificate Services, there is no database which would keep records of which certificates were revoked (or issued, for that matter). All your commands just create things on the go and don't keep any state of a "CA".

(Normally a CA would need to remember the revocation until the certificate expires, because it has to keep including it every time it publishes a new CRL – if the next CRL edition doesn't have the entry, then the certificate actually stops being revoked. The CA would also include the revocation list's URL in every certificate it issues, so that clients could download the latest CRL automatically when needed.)

So because you're just generating and signing the certificates "on the fly", you would revoke a certificate by telling makecert to include its serial number in the newly generated CRL (and then import that CRL again). Or at least, in theory.

Unfortunately, even though makecert has a -crl option, it doesn't seem to have one to specify the actual revoked certificates. All it does is create empty CRLs with nothing revoked.

You could possibly use another tool, such as the openssl CLI, to generate revocation lists.

answered on Super User Feb 19, 2021 by user1686

User contributions licensed under CC BY-SA 3.0