2

I created a root ca using makecert:

makecert -r -pe -n "CN=MyRootCA" -b 01/01/2015 -e 01/01/2020 -ss root -sr localmachine -len 2048

I create a CRL for that root ca and imported this with certmgr:

makecert -crl -n "CN=MyRootCA" -r -sv MyRootCRL.pvk MyRootCRL.crl

I create a certificate(for client authentification) derived from my root ca:

makecert -pe -n "CN=MyClient1" -eku 1.3.6.1.5.5.7.3.2 -is root -ir localmachine -in MyRootCA -ss my -sr currentuser -len 2048

Now the question: How can i revoke my created MyClient1 certificate? I have a CRL in my certmgr but i dont see any possibility to add my MyClient1 certificate to this CRL.

(Im using Windows 7)

Can anyone help me with this problem?

Friedrich Merza
  • 109
  • 1
  • 8

1 Answers1

1

You could use certutil to revoke the certifikate (according to the documentation here).

pepo
  • 8,644
  • 2
  • 27
  • 42
  • I've tried this but I can't see how to make it work against a local certificate store, if the machine is not a CA – Dan Parsonson May 09 '18 at 17:35
  • @DanParsonson According to the documentation there is `-config` parameter that can be used when accessing a remote CA. I've never done this so this is only a theory. You could try running `certutil –config - -ping` if it lets you connect to the CA. I've found it [here](https://blogs.technet.microsoft.com/pki/2007/05/12/a-simple-way-to-set-the-certutil-config-option/) – pepo May 10 '18 at 13:53
  • Thank you for your reply so long after your initial post; I've tried what you suggested and it returns "no active certification authorities found" - from this and my own experimentation, I suspect that certutil is just unable to revoke certificates locally, without a CA installed. Thanks anyway! – Dan Parsonson May 11 '18 at 10:08
  • Then you do not have CA configured in your AD. Common practice is to report revocation intent to the CA and they will do it. – pepo May 11 '18 at 10:29