802.1x deployment - Unable to delete client certificate using certmgr.exe RRS feed

  • Question

  • We are in the processing of rolling out 802.1x across the organization. All client computers are Windows XP SP3 and they are being joined to the new Active Directory domain during the network migration. (Existing infrastructure is based on Novell NDS, which is being migrated) A GPO has been created in the AD for the 802.1x parameters and a Thawte Primary root CA for all the Client computers. 

    During the pilot process, we found that in many machines there were already two Thawte Primary root certificates in the Local Machine Trusted Root CA store & one Thawte SSL CA in primary root (which is supposed to be in Intermediate CA) This is causing 802.1x authentication problem as the GPO does not overwrite on these certificates.  Once I delete the faulty certs manually & re-apply the GPO, the machines works fine for 802.1x authentication.

    Now to avoid production problems, we need to mandatorily clean up the machines for the existing thawte certificates and get it applied from GPO, as the machines join the domain. This cant be done manually as we have over 1500 workstations. 

    The following is the command I tried with the response.

    certmgr -del -c -s root -sha1 91c6d6ee3e8ac86384e548c299295c756c817b81

    Error: Failed to delete certificates
    CertMgr Failed

    Trying to delete the certificate with the certficate number also produces the same result.

    Please advice on the way forward.


    Karthik Ragavan

    Wednesday, October 27, 2010 12:08 PM

All replies

  • I am having the exact same issue when the certificate is stored under "Trusted Root Certification Authority" for either Local Computer or Current User.  The syntax Microsoft provides simply doesn't work, even though it always returns "CertMgr succeeded".  Ex:

    certmgr.exe /del /c "CDC_ASA.cer" /s /r localMachine Root

    certmgr.exe /del /c "CDC_ASA.cer" /s /r currentUser Root

    Tuesday, November 2, 2010 10:05 PM