none
CERTUTIL Command Line to Delete Local Personal Certificates

    Question

  • Hello Everyone,

    I have done a bit of searching, but haven't found any reference to my specific requirements in using CERTUTIL.  I did see the Technet thread referencing the deleting of personal certificates on a Windows 7 computer using the following command:

    certutil -delstore MY <certificatename>

    However, I would like to remove all the personal certificates using the command line while logged onto the computer with a specific account.  What is the syntax to remove all of them?  The goal is to use this along with other commands in a batch to clean up the profile as the system has to exchange hands to another student.  Unable to delete and recreate account/profile.  Unable to re-image system due to infrastructure restrictions.  There are a large number of systems needing to have these personal certificates removed (mostly 3 each) and all certificates have different names.  What could be used in place of the <certificatename> that would cover all certificates in the Personal tab?

    Thanks,

    Chris Z.




    Wednesday, July 17, 2013 12:30 PM

Answers

  • So you might want look into the Capicom SDK http://www.microsoft.com/en-us/download/confirmation.aspx?id=25281

    It includes a vbscript to delete certificates from the store

    C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2 SDK\Samples\vbs>CStore.vbs delete -?
    Microsoft (R) Windows Script Host Version 5.8
    Copyright (C) Microsoft Corporation. All rights reserved.

    Usage: CStore Delete [Options] [Store]

    The Delete command is used to delete certificate(s) from a certificate store.
    You can use the filtering option(s) to narrow down the set of certificate(s) to
    be deleted.

    Options:

      -l         <location>      -- CU or LM (default to CU)
      -a                         -- Include archived certificates
      -sha1      <hash>          -- SHA1 hash of the signing certificate
      -subject   <name>          ** Subject Name of the signing certificate must
                                    contain this name
      -issuer    <name>          ** Issuer Name of the signing certificate must
                                    contain this name
      -root      <name>          ** Subject Name of the root certificate must
                                    contain this name
      -template  <name | oid>    ** Template name or OID
      -extension <name | oid>    ** Extension name or OID
      -property  <id>            ** Property ID
      -eku       <name | oid>    ** EKU name or OID
      -policy    <name | oid>    ** Certificate policy name or OID
      -time      <-1 | 0 | 1>    ** Time validity, -1 for not yet valid, 0 for
                                    valid, 1 for expired (default to all)
      -keyusage  <key usage>     ** Key usage bit flag or name
      -delkey                    -- Delete key container if exists
      -noprompt                  -- Do not prompt (always delete)
      -v         <level>         -- Verbose level, 0 for normal, 1 for detail
                                    2 for UI mode (default to level 0)
      -?                         -- This help screen

      Store                      -- My, CA, AddressBook, Root, etc. (default to My)

    Note: All non-fatal invalid options for this specific command will be ignored,
          and the ** symbol indicates option can be listed multiple times.

    I do not have a chance to test it with smart cards before Friday, so might it will work for you or not.

    Regards,

    Lutz

    Tuesday, July 23, 2013 11:51 PM

All replies

  • Hi Chris,

    I used this script to cleanup all the certs generated from Fiddler. Just play with the where-object options and I should be good for your use as well.

    Just as note: Make sure that you do not need the certificates (private keys) anymore for data access.

    $certs = @( dir cert:\CurrentUser\my | Where-Object { $_.Issuer -eq "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" })
    $certstore = New-Object System.Security.Cryptography.X509Certificates.X509Store “My”,”CurrentUser”
    $certstore.Open(“ReadWrite”)

    foreach ($cert in $certs) {
     write-host "Removing certificate "$cert.subject
     $certstore.Remove($cert)
    }

    $certstore.Close()

    Regards,

    Lutz

    Wednesday, July 17, 2013 1:35 PM
  • Hi Lutz,

    Thanks for the quick response.  I appears you suggest doing it with a VBScript instead of doing it by the CERTUTIL command line.

    Just determined the Issuer would be different from user to user as O and the OU would have different values.  How would one just specify all certificates in the "MY" personal store?  Would adjusting the first line to "$certs = @( dir cert:\CurrentUser\my ) cover everything in the Personal Store?

    I will need to incorporate the CurrentUser to work as an environmental variable.  Would there be anything special to setup for that?

    If necessary, certificates are regenerated from the user's Smart Card.


    Thanks, Chris Z.


    • Edited by CAZan Thursday, July 18, 2013 3:52 PM addendum
    Thursday, July 18, 2013 3:33 PM
  • Actually it is a PowerShell script. Yes, $certs = @( dir cert:\CurrentUser\my ) would find all certificates in the user store. $env:userdomain and $env:username give you the logon domain and user.

    Saturday, July 20, 2013 12:42 AM
  • Hi Lutz,

    Thanks for the confirmation on that.  However, due to the restrictions in my environment, I can only run command line or VB scripts on the systems.  It is very aggravating to deal with these insane administrative restrictions.  So, I will need the VB script version of this.

    But, I will keep this for reference.


    Thanks, Chris Z.

    Monday, July 22, 2013 1:03 PM
  • from command line you can run this line to remove all certificates from the user store

    rem Get the number of certs in store

    for /f "tokens=1,2 delims== " %g in ('certutil.exe -user -store my ^| find "================ Certificate"') do (
      set MAXCERTS=%h
    )

    rem display the number of certs in store

    echo maxcerts: %MAXCERTS%

    rem delete certificates in store one by one

    FOR /L %v IN (1,1,%MAXCERTS%) DO certutil.exe -user -delstore my %v

    if you pack it in a batch file please change %g to %%g, %h to %%h and %v to %%v

    Monday, July 22, 2013 6:55 PM
  • Thanks, I gave your CERTUTIL script a test on my wkstn.  Strangely, it would only do one certificate on each run instead of all of them.   Subsequent runs of the batch script may or may not remove additional certificates (hit or miss).  Also, it initiated the smart card program to prompt me to insert the smartcard every time the batch script was executed.

    I just need to simulate accessing the certificates through IE 8.0 from the Tools>Internet Options>Content(tab)>Certificates>Personal(tab) Highlight all the certificates and click the Remove button.

    Played a little with the script to see if I could get it to work correctly.  Unfortunately, I was unsuccessful.

    Just to let you know I am running this on Windows 7 workstations.


    Thanks, Chris Z.

    Tuesday, July 23, 2013 5:47 PM
  • So you might want look into the Capicom SDK http://www.microsoft.com/en-us/download/confirmation.aspx?id=25281

    It includes a vbscript to delete certificates from the store

    C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2 SDK\Samples\vbs>CStore.vbs delete -?
    Microsoft (R) Windows Script Host Version 5.8
    Copyright (C) Microsoft Corporation. All rights reserved.

    Usage: CStore Delete [Options] [Store]

    The Delete command is used to delete certificate(s) from a certificate store.
    You can use the filtering option(s) to narrow down the set of certificate(s) to
    be deleted.

    Options:

      -l         <location>      -- CU or LM (default to CU)
      -a                         -- Include archived certificates
      -sha1      <hash>          -- SHA1 hash of the signing certificate
      -subject   <name>          ** Subject Name of the signing certificate must
                                    contain this name
      -issuer    <name>          ** Issuer Name of the signing certificate must
                                    contain this name
      -root      <name>          ** Subject Name of the root certificate must
                                    contain this name
      -template  <name | oid>    ** Template name or OID
      -extension <name | oid>    ** Extension name or OID
      -property  <id>            ** Property ID
      -eku       <name | oid>    ** EKU name or OID
      -policy    <name | oid>    ** Certificate policy name or OID
      -time      <-1 | 0 | 1>    ** Time validity, -1 for not yet valid, 0 for
                                    valid, 1 for expired (default to all)
      -keyusage  <key usage>     ** Key usage bit flag or name
      -delkey                    -- Delete key container if exists
      -noprompt                  -- Do not prompt (always delete)
      -v         <level>         -- Verbose level, 0 for normal, 1 for detail
                                    2 for UI mode (default to level 0)
      -?                         -- This help screen

      Store                      -- My, CA, AddressBook, Root, etc. (default to My)

    Note: All non-fatal invalid options for this specific command will be ignored,
          and the ** symbol indicates option can be listed multiple times.

    I do not have a chance to test it with smart cards before Friday, so might it will work for you or not.

    Regards,

    Lutz

    Tuesday, July 23, 2013 11:51 PM
  • Thanks, Lutz.

    I'll take a look at that.  Hopefully, that option utilizes Windows 7 out of the box.  Can't install anything on the systems.  The script will have to utilize only what is normally available by default on the OS.

    I'll report back on my results at the end of this week or beginning of next.


    Thanks, Chris Z.

    Wednesday, July 24, 2013 3:47 PM
  • Hi Chris,

    just replace (1,1,%MAXCERTS%) with (%MAXCERTS%,-1,0) and the script works fine and removes all the certificates.

    regards,

    Pankaj


    Friday, August 2, 2013 7:31 PM
  • Sorry to be digging into an old post but I am working on this currently with Windows 7 and IE 11.  When I load multiple users certificates from smart cards I cannot get all the certs to delete without issue.  If only my certificates are loaded there is no issue, but if other user certificates are loaded it asks for their smartcard before it will proceed.  I would like it to delete certificates without any smart card needed. Thanks in advance.
    Tuesday, April 18, 2017 9:25 AM
  • Old thread, Just updating commands if it helps someone.

    To add certificate use below command in certificate copied path:

    certutil -addstore -f "root" "<name of the certificate file>"

    To delete certificate:

    First check certificate name using MMC and then run below command.

    certutil -delstore "root" "<name of the certificate>"

    Hope it helps.

    Thank you


    • Edited by harshithraj Monday, March 26, 2018 7:19 AM additional word
    Monday, March 26, 2018 7:17 AM