Webinar: PKI Insights - Best Practices for Improving your PKI Posture Management Program for your Digital Certificates and Encryption by PKI Solutions
Schedule a Demo
Blog August 2, 2019 Certutil, Database, PKI

‘The handle is invalid. 0x80070006 (WIN32: 6)’ when dumping CA database

by Vadims Podāns

As part of joining PKI Solutions, several blog posts from my old site are re-posted here for visibility and thoroughness.

Expand Your PKI Visibility

Discover why seeing is securing with revolutionary PKI monitoring and alerting.

Learn More About PKI Spotlight®


Consider the following scenario: you are dumping CA database by using certutil, PowerShell or any other tool that utilizes ICertView2 interface and at some point you receive the following error


CertUtil: -view command FAILED: 0x80070006 (WIN32: 6)

CertUtil: The handle is invalid.

PowerShell (when using ICertView interface):

CEnumCERTVIEWROW::Next: The handle is invalid. 0x80070006 (WIN32: 6)


This error can be caused because of handle expiration. There are two functions that control database access handle validity:
1) When the connection is opened by calling ICertView2::OpenConnection the next action must be taken within a ViewIdleMinutes period. If no action (OpenView method call) is taken within this period, the handle is released. By default, ViewIdleMinutes is 8 minutes.

2) When ICertView::OpenView method is called, the handle is valid for the period specified in the ViewAgeMinutes. If the CA database dump operation exceeds this parameter, the handle is forcedly released and the error is returned. By default, ViewAgeMinutes is 16 minutes.

This is by design.

If there is a need to extend handle validity for large output, you can increase ViewAgeMinutes property by modifying CA configuration:

    1. Log on to CA server with local administrator permissions;
    2. Open elevated command prompt;
    3. Type the following commands in the command prompt:
certutil –setreg CA\ViewAgeMinutes X where X – is a number that represents handle validity in minutes.
  1. Restart certificate services.


No workaround is available.


  • Active Directory Certificate Services (all versions)

Related Resources

  • Blog
    March 7, 2024

    PKI Insights – Avoiding PenTest Pitfalls

    Certificates, PKI, PKI Insights
  • Blog
    July 17, 2023

    PKI Spotlight® now has over 90 Best Practice alerts with its latest release.

  • Blog
    June 2, 2023

    Digital Trust and IT Security: Empowering Your Organization


Vadims Podāns

PKI Software Architect

View All Posts by Vadims Podāns


Leave a Reply

Your email address will not be published. Required fields are marked *