我正在尝试从 Windows 2019 AD 域控制器中删除证书颁发机构角色,但停留在以下 MS KB 文章的步骤 5、第 4 项“删除与 CA 关联的私钥”:
如何停用 Windows 企业证书颁发机构并删除所有相关对象
我无法传递以下错误:
CertUtil: -delkey command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET) CertUtil: Keyset does not exist
有人能告诉我我做错了什么吗?
这是我的命令:
C:\Users\theadmin>certutil -shutdown
CertUtil: -shutdown command completed successfully.
C:\Users\theadmin>certutil -getreg CA\CSP\Provider
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\bennett-SYDDC03-CA\CSP:
Provider REG_SZ = Microsoft Software Key Storage Provider
CertUtil: -getreg command completed successfully.
C:\Users\theadmin>certutil -CSP KSP -Key
Microsoft Software Key Storage Provider:
bennett-SYDDC03-CA-Xchg(365)
4d183c7256e5a7ea7f353e66e42df2e3_ae2176ee-5d82-4797-a135-97e409c6ec69
RSA
AT_KEYEXCHANGE
iisCngWasKey
597367cc37b886d7ee6c493e3befb421_ae2176ee-5d82-4797-a135-97e409c6ec69
SP800_108_CTR_HMAC
KEY_DERIVATION
bennett-SYDDC03-CA
9cbcfcd7540d895eab9505d386b02142_ae2176ee-5d82-4797-a135-97e409c6ec69
RSA
AT_KEYEXCHANGE
iisCngConfigurationKey
f0e91f6485ac2d09485e4ec18135601e_ae2176ee-5d82-4797-a135-97e409c6ec69
SP800_108_CTR_HMAC
KEY_DERIVATION
CertUtil: -key command completed successfully.
C:\Users\theadmin>certutil -delkey "bennett-SYDDC03-CA"
CertUtil: -delkey command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
C:\Users\theadmin>certutil -delkey "bennett-SYDDC03-CA-Xchg(365)"
CertUtil: -delkey command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist'
答案1
当你有Microsoft 软件密钥存储提供商作为提供商,您还需要添加-CSP 韩国删除命令以使其成功。
certutil -CSP KSP -delkey CertificateAuthorityName
就你的情况而言:
certutil -CSP KSP -delkey "bennett-SYDDC03-CA"