Unable to revoke or terminate yubikey4 with CSIS Enrollment Station

[truemichael]

We're getting the attached message when trying to revoke or terminate. Workstation OS is Win7 32bit. Thank you.

[Genbox]

That's an interesting error.

This is just a shot in the dark, but could you check if you have the file \Binaries\RevokeCert\RevokeCert.exe inside the enrollment station folder?

If it is there, could you open a cmd.exe inside the RevokeCert folder and try running: RevokeCert.exe

You should get some help text as output, and if that's the case, everything should be fine. My suspicion is that you will get an error running that application.

[truemichael]

Received the below error. Thank you.

[Genbox]

@truemichael the image is not displayed here.

[truemichael]

Sorry about that...error is attached.

[Genbox]

@truemichael It is still not here :) I don't think Github supports image attachments by email.

By the way, I just edited your previous replies to not contain your personal information. Hope that is okay with you.

[truemichael]

[Genbox]

@truemichael Thanks! That definitely narrows down the error. The revokecert tool is probably only compiled for 64bit since it uses COM objects, and they are quite tricky to work with, to say the least.

The source code for RevokeCert is available here. You can try to compile it for 32bit yourself if you need a solution right away. Otherwise, I can take a look at the error on Friday and test it out on Win7 32bit.

[truemichael]

Given this limitation, I'm moving to a new Enrollment Stations. Below are the specs and I'm receiving attached error.

• Windows 10 Enterprise LTSB, 64-Bit

[Genbox]

Check out the troubleshooting part of the manual here.

In short, in order to revoke certificates using Microsoft's own COM API, you have get the COM components from the Windows Remote Administration Tools.

Unfortunately, we can't distribute the components due to Microsoft's license.

[truemichael]

Ian,

Thank you for the info and we’re now functioning on the Win10 Ent. Enrollment Station. My last inquiry related to this ticket is the appropriate path to migrate the current enrolled users from the Win7 to Win10. What do you recommend? Thank you.

Rue Michael

[Genbox]

@truemichael There is a couple of things you need. I'll list them in no particular order:

• You need to migrate the Enrollment Agent (EA) certificate. The easiest way is to revoke the old one and enroll a new one if you don't have the EA private key in a hardware protected store. Make sure your user has access to request that particular certificate template. We have a small guide on EA certificates on the front page of this project.
• You need to make sure the computer has the correct time.
• All user credentials are saved to a simple database inside the EnrollmentStation folder. There are no steps to migrate the application other than moving the folder.
• Make sure to change the configuration in the application to point to the new EnrollmentAgent certificate.