none
Problem removing certificates from a remote store RRS feed

  • Question

  • I have a certificate store on a remote machine where I want to remove all certificates from a machine store.  I'm very new at Powershell and unfortunately I couldn't find an exact example of code to do what I'm looking for however I managed to come up with this snippet.

     

    $computer = "computer"
    
    $store = new-object system.security.cryptography.x509certificates.x509Store "\\$computer\SMS", 'LocalMachine'
    $store.Open('ReadWrite')
    $certs = $store.Certificates
    $store.RemoveRange($certs)
    

     

    This gives me an error when calling the method RemoveRange saying that "The procedure is out of range".  I can enumerate the certificates from this store fine and have verified that the $certs variable I'm trying to remove is of type X509Certificate2Collection.  What could be my problem here?

     

     

     

    Monday, June 20, 2011 9:25 PM

All replies

  • Hi,

     

    Give you a sample as followed:

     

     

    function Remove-Certificate

    {

     

     

    param([String]$certName,[String]$certStore)

    $store = new-object -com "CAPICOM.Store"

    $store.Open(1,"$certStore",130)

    $certToDelete =( $store.Certificates | where { $_.SubjectName -like "*$certName*" })

    if ($certToDelete -is [Object])

    {

    if ($certToDelete.PrivateKey -is [Object])

    {

    $certToDelete.PrivateKey.Delete()

    $store.Remove($certToDelete)

    }

    }

    $Store.Close()

     

     

    For more information:

     

    Windows PowerShell met CAPICOM

    http://blogs.msdn.com/b/daiken/archive/2007/01/12/windows-powershell-met-capicom.aspx

     

     

     

    Thanks.

    Wednesday, June 22, 2011 6:53 AM
    Moderator
  • This example only appears to be local.  Can this be done remotely?
    Thursday, June 23, 2011 3:18 PM
  • Hi,

     

     

    Yes, you can use the “Invoke-Command” to run this function on remote machines.

     

    For more information:

     

    http://technet.microsoft.com/en-us/library/dd347578.aspx

     

    http://blogs.technet.com/b/heyscriptingguy/archive/2011/06/13/use-powershell-invoke-command-for-remoting.aspx

     

     

     

    Thanks.

    Friday, June 24, 2011 8:53 AM
    Moderator
  • The "Invoke-Command" requires WinRM to be installed on the remote computer, correct?  I was trying to prevent making any changes to the remote computer.  Also, not all XP PCs that I want to do this on have Powershell installed.
    Tuesday, June 28, 2011 5:53 PM
  • I work with and test wild card certs all the time so after junking up the systems with excess certs I remove them remotely like this:

     

    $domaincomputerdomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()

    $wildcarddomaincomputerdomain = ('*' + $domaincomputerdomain)

    $pc = ("\\"+$objComputer.name+"\Root") #this comes from a search of AD for all computers you can just type \\computer\Root or \\computer\My ect ect

    $store = New-Object system.security.cryptography.X509Certificates.X509Store $pc,'LocalMachine' #LocalMachine could also be LocalUser
    $store.Open('ReadWrite')
    $certsold = $store.Certificates | ? { $_.Subject -like $wildcarddomaincomputerdomain }
    foreach ($cert in $certsold) {$store.Remove($cert)}
    $store.Close()

     

     

    Sean

    Friday, August 5, 2011 2:44 AM
  • Here is your script modified for my needs:

    Function reinstallCerts($pc) {
    	$pc = ("\\$pc\SMS")
    	$store = New-Object system.security.cryptography.X509Certificates.X509Store $pc,'LocalMachine' #LocalMachine could also be LocalUser
    	$store.Open('ReadWrite')
    	$sms_certs = $store.Certificates
    	foreach ($cert in $sms_certs) {
    		Write-Host $cert
    		#$store.Remove($cert)
    	}
    	$store.Close()
    }
    

    I was able to read all certs in the store I'm looking at.  Here's the output from that:

     

    [Subject]

      CN=SMS, CN=ADAMXPTESTVM-2

     

    [Issuer]

      CN=SMS, CN=ADAMXPTESTVM-2

     

    [Serial Number]

      78607EAAD751DEB34969F30085CD30FA

     

    [Not Before]

      3/13/2011 5:34:54 PM

     

    [Not After]

      2/18/2111 4:34:54 PM

     

    [Thumbprint]

      E8109149A78AD603F26C862E5EE21871BF7BBF46

     

    [Subject]

      CN=SMS, CN=ADAMXPTESTVM-2

     

    [Issuer]

      CN=SMS, CN=ADAMXPTESTVM-2

     

    [Serial Number]

      7672FE1660019797458A84669411455C

     

    [Not Before]

      3/13/2011 5:34:55 PM

     

    [Not After]

      2/18/2111 4:34:55 PM

     

    [Thumbprint]

      1D2A1306937B6176FDB9F9CA2EF7103B2406DF00

     

    However, when the script attempts $store.Remove($cert) I'm getting "procedure number is out of range".

    Monday, August 8, 2011 4:47 PM
  • I generated some self signed certs for my SMS store and tried your code out just like this:

     

    $pc = "sean-pc"

    $pc = ("\\$pc\SMS")
     $store = New-Object system.security.cryptography.X509Certificates.X509Store $pc,'LocalMachine' #LocalMachine could also be LocalUser
     $store.Open('ReadWrite')
     $sms_certs = $store.Certificates
     foreach ($cert in $sms_certs) {
      Write-Host $cert
      $store.Remove($cert)
     }

    And it works great. I do not know why you are getting "procedure number is out of range".  Is there a great deal more to the code that could be tripping it up? What version of PS are you using? What OS is on the remote machine? Have you tried to copy and paste some certs into the store, then try to delete them to see if maybe it has something to do with the type of cert it is?

    I tried this on a remote computer and local compter and it worked. I use the example I provided to strip certs from 25 PCs after application reconfiguration on almost a daily basis. 

    Monday, October 10, 2011 4:52 AM