locked
Delete PKI Certs from multiple XP systems? RRS feed

  • Question

  • My company is working to migrate an entire domain of systems to a new domain. All of these systems are XP. How can I delete all of the PKI signing certificates from those XP machines without having to install some other software onto them first? I cannot get the SCCM Client to install with those certs in the computer/personal store. SCCM tries to use the existing PKI cert and will never finish due to a non-existent PKI infrastructure to support our SCCM installation.

    Certmgr doesn't work as a command line utility on XP

    Certutil doesn't exist on XP

    I found a powershell script, but it will not run unless powershell is installed to the target system.

    I found a vb script, but it called certutil (doesn't exist on XP)

    RESETKEYINFORMATION switch for ccmsetup information only looks at the Trusted Root store


    Mike Brown

    Friday, September 6, 2013 11:00 PM

Answers

  • That is one possible scenario. However, it is not the answer that will work. This customer has purchased a division from another corporate entity and we do not have access to the SCCM servers on their domain to put certutil on the systems. Therefore, we cannot use this solution. We were in the same boat with using Powershell. What we have done and it appears to be working is use a regedit command to call this .reg file.

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates]

    This actually removes the cert and allows the New Domain/SCCM owners to put their SCCM client on the systems. This was so simple and it was staring me in the face the whole time.

    Jason: It was good seeing you at the LAST (ever) MMS this year.


    Mike Brown

    • Marked as answer by Mike.Brown Saturday, September 7, 2013 8:16 PM
    Saturday, September 7, 2013 8:16 PM

All replies

  • You can grab certutil from the Server 2003 resource kit.

    Is your ConfigMgr 2012 site using HTTPS communication? If not, disable it completely it the site settings.

    If you are, change the cert selection criteria.


    Jason | http://blog.configmgrftw.com


    Saturday, September 7, 2013 2:06 AM
  • That is one possible scenario. However, it is not the answer that will work. This customer has purchased a division from another corporate entity and we do not have access to the SCCM servers on their domain to put certutil on the systems. Therefore, we cannot use this solution. We were in the same boat with using Powershell. What we have done and it appears to be working is use a regedit command to call this .reg file.

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates]

    This actually removes the cert and allows the New Domain/SCCM owners to put their SCCM client on the systems. This was so simple and it was staring me in the face the whole time.

    Jason: It was good seeing you at the LAST (ever) MMS this year.


    Mike Brown

    • Marked as answer by Mike.Brown Saturday, September 7, 2013 8:16 PM
    Saturday, September 7, 2013 8:16 PM