PowerShell Script To Submit Certificate Requests In Bulk Using Certreq.exe

[Lise Henton]

As with the GUI, you have to run the tool on each server individually. However, since this utility can work with the preconfigured .inf file while creating certificate requests, it can be used with a PowerShell script to speed up the process:

PowerShell script to submit certificate requests in bulk using certreq.exe

Download Zip — https://urluss.com/2zrBcs

That leaves failed and pending requests. These rows are just requests; there are no issued certificates associated with them. In addition, while technically a failed request can be resubmitted to the CA by the Administrator, unless the cause of the original failure is addressed there is little purpose in doing so. In practice, you can safely delete failed requests. Any pending requests should probably be examined by an Administrator before you delete them. A pending request means that someone out there has an outstanding certificate request for which they are patiently waiting on an answer. The Administrator should go through and either issue or deny any pending requests to clear that queue, rather than just deleting the records.

The next step in this process is to actually delete the rows using our trusty command line utility certutil.exe . The -deleterow verb, introduced in Windows Server 2003, can be used to delete rows from the CA database. You just provide it with the type of records you want deleted and a past date (if you use a date equal to the current date or later, the command will fail). Certutil.exe will then delete the rows of that type where the date the request was submitted to the CA (or the date of expiration, for issued certificates) is earlier than the date you provide. The supported types of records are:

Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in.