Webinar: PKI Insights - Past, Present, and Future of PKI with Brian Komar
Schedule a Demo
Blog August 2, 2019 Certutil, Database, PKI

‘The handle is invalid. 0x80070006 (WIN32: 6)’ when dumping CA database

by Vadims Podāns

As part of joining PKI Solutions, several blog posts from my old site are re-posted here for visibility and thoroughness.

Person sitting at a laptop while viewing the PKI Spotlight Dashboard.

Expand Your PKI Visibility

Discover why seeing is securing with revolutionary PKI monitoring and alerting.

Learn More About PKI Spotlight®

Issue

Consider the following scenario: you are dumping CA database by using certutil, PowerShell or any other tool that utilizes ICertView2 interface and at some point you receive the following error

Certutil:

CertUtil: -view command FAILED: 0x80070006 (WIN32: 6)

CertUtil: The handle is invalid.

PowerShell (when using ICertView interface):

CEnumCERTVIEWROW::Next: The handle is invalid. 0x80070006 (WIN32: 6)

CAUSE

This error can be caused because of handle expiration. There are two functions that control database access handle validity:
1) When the connection is opened by calling ICertView2::OpenConnection the next action must be taken within a ViewIdleMinutes period. If no action (OpenView method call) is taken within this period, the handle is released. By default, ViewIdleMinutes is 8 minutes.

2) When ICertView::OpenView method is called, the handle is valid for the period specified in the ViewAgeMinutes. If the CA database dump operation exceeds this parameter, the handle is forcedly released and the error is returned. By default, ViewAgeMinutes is 16 minutes.

STATUS
This is by design.

SOLUTION
If there is a need to extend handle validity for large output, you can increase ViewAgeMinutes property by modifying CA configuration:

    1. Log on to CA server with local administrator permissions;
    2. Open elevated command prompt;
    3. Type the following commands in the command prompt:
certutil –setreg CA\ViewAgeMinutes X where X – is a number that represents handle validity in minutes.
  1. Restart certificate services.

WORKAROUND

No workaround is available.

APPLIES TO

  • Active Directory Certificate Services (all versions)

Related Resources

  • Blog Graphic with a gold background with the Globee Awards Gold Winner logo for Public Key Infrastructure PKI Cybersecurity.
    May 10, 2024

    Globee Awards Gold Winner in PKI Cybersecurity!

    PKI, PKI Spotlight
  • Blog a shield with a lock on it representing pki and certificates with several other locks and cybersecurity components in the background
    May 1, 2024

    Strengthening Security with Centralized MFA Integration

    MFA, PKI, PKI Spotlight
  • Blog
    April 29, 2024

    PKI Insights Recap – PKI Posture Management for Digital Certificates

    Digital Certificates, PKI, PKI Insights

Vadims Podāns

PKI Software Architect

View All Posts by Vadims Podāns

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *