Jun 032016

This little bit of code is a work in progress but it is functional. Run it against your windows certificate authorities (make sure wsman/winrm is enabled on them), and you will get a report of failed requests in the $failedrequests string before it cleans out all failed requests older than 7 days (the success of which is reported in $result string). Uses certutil.

This can go a long way in preventing a bloated cert db on your ca’s, but it’s always a good idea to track down the reason why you’re getting failed requests in the first place. Nefarious reasons? Misconfiguration?

$certservers = @('enter','ca servers','here')

$DateFrom = "$((get-date).AddDays(-7).Month)/$((get-date).AddDays(-7).Day)/$((get-date).AddDays(-7).Year)"

$Scriptblock = {
certutil -deleterow $date Request

[system.string]$failedrequests = $null
[system.string]$result = $null

foreach ($server in $certservers) {

  $failedrequests = $failedrequests + "=== Failed Requests for $server :"
  $failedrequests = $failedrequests + $(invoke-command -ComputerName $server -ScriptBlock {certutil -view logfail} | out-string)
  $result = $result + "=== Clearing failed requests older than $datefrom on $server :"
  $result = $result + $(invoke-command -ComputerName $server -ScriptBlock $scriptblock -ArgumentList $datefrom | out-string)

 Posted by at 4:26 pm