For some automated tests on my project, I need to revoke a certificate which has been generated locally by makecert.exe.
First, I generate a signer certificate and associated CRL using the following commands, and use certutil
to install them to my machine
# Generate Signer Cert
makecert.exe -pe -n CN=SignerCert -r -sr LocalMachine -ss Root -a sha256 `
SignerCert.cer -cy authority
certutil -installcert SignerCert.cer
# Set up a certificate revocation list for the CA cert above
makecert.exe -crl -n CN=SignerCert -r -sr LocalMachine SignerCert.crl
certutil -addstore Root SignerCert.crl
I then generate another cert for authentication, the one I would eventually like to revoke
makecert.exe -pe -n CN=AuthCert `
-ir LocalMachine -is Root -ic SignerCert.cer `
-sr LocalMachine -ss My -a sha256 AuthCert.cer
and install it as follows (via some powershell)
$x509cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certPath = Join-Path $pwd AuthCert.cer
$x509cert.Import("$($certPath)")
Set-Location "Cert:\LocalMachine\My"
$cert = Get-ChildItem | Where-Object { $_.Thumbprint -eq $x509cert.Thumbprint}
$cert = $cert[0]
$cert.FriendlyName = $FriendlyName
So far so good. If I pull up certlm
on my machine, I can see both SignerCert and AuthCert under "Personal > Certificates", SignerCert under "Trusted Root Certification Authorities > Certificates", and SignerCert under "Trusted Root Certification Authorities > Certificate Revocation Lists".
Now for the problematic operation. I would like to revoke AuthCert: certutil
has a -revoke
operation which I could use, so let's say I retrieve AuthCert's serial number and run the following command
> certutil -revoke 12345678
Revoking 12345678 -- Reason: Unspecified
ICertAdmin::RevokeCertificate: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: -revoke command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.
The RPC's probably unavailable because there's no local CA
> certutil -cainfo
CertUtil: No local Certification Authority; use -config option
CertUtil: No more data is available.
Can someone offer me a rundown on what's going on here and pointers as to how I can successfully revoke the cert?
The command is meant to be used with AD Certificate Services, and it doesn't work otherwise because without AD Certificate Services, there is no database which would keep records of which certificates were revoked (or issued, for that matter). All your commands just create things on the go and don't keep any state of a "CA".
(Normally a CA would need to remember the revocation until the certificate expires, because it has to keep including it every time it publishes a new CRL – if the next CRL edition doesn't have the entry, then the certificate actually stops being revoked. The CA would also include the revocation list's URL in every certificate it issues, so that clients could download the latest CRL automatically when needed.)
So because you're just generating and signing the certificates "on the fly", you would revoke a certificate by telling makecert to include its serial number in the newly generated CRL (and then import that CRL again). Or at least, in theory.
Unfortunately, even though makecert has a -crl option, it doesn't seem to have one to specify the actual revoked certificates. All it does is create empty CRLs with nothing revoked.
You could possibly use another tool, such as the openssl
CLI, to generate revocation lists.
User contributions licensed under CC BY-SA 3.0