none
How to delete archived certificates using the certutil command?

    Question

  • Hi,

    How to delete archived certificates that are stored on my certificate store using the certutil command?

    I want to delete all such archived certificates.

    Any help is highly appreciated.

    Thank you.

    Thursday, March 15, 2012 8:02 AM

Answers

  • So....

    How to delete archived certificates that are stored on my certificate store using the certutil command?

    How do you do it if you REALLY want to?

    Here is the PowerShell code to remove expired and archived certificates from the "My" store:

      (Thanks to Brian Wilson for helping me with the code!)

    $store = New-Object  System.Security.Cryptography.X509Certificates.X509Store "My","CurrentUser"

    $MaxAllowedIncludeArchive = ([System.Security.Cryptography.X509Certificates.openflags]::MaxAllowed –bor [System.Security.Cryptography.X509Certificates.openflags]::IncludeArchived)

    $store.Open($MaxAllowedIncludeArchive)

    [System.Security.Cryptography.X509Certificates.X509Certificate2Collection] $certificates = $store.certificates

    foreach ($cert in $certificates)

     {

      Write-Host "Analyzing: " -NoNewline; Write-Host $cert.IssuerName -NoNewline; Write-Host $cert.NotAfter -NoNewline; Write-Host $cert.Archived -NoNewline

       if (($cert.notAfter -lt (Get-Date)) -or ($cert.Archived))

         {

               Write-Host " :Removing"-NoNewline

            $store.Remove($cert)

         }

      Write-Host

     }

    $store.Close()


    Tuesday, March 20, 2012 3:38 PM

All replies

  • Hi,

    Archived are certificates that have expired or have been renewed. In many cases, it is good practice to retain archived certificates instead of deleting them. For example, you would need to keep an archived certificate to verify digital signatures on old documents signed using the key on the now-expired or renewed certificate.

    Monday, March 19, 2012 2:58 AM
  • On Mon, 19 Mar 2012 02:58:32 +0000, Bruce-Liu wrote:

    For example, you would need to keep an archived certificate to verify digital signatures on old documents signed using the key on the now-expired or renewed certificate.

    No, signing certificates don't need to be archived for this to happen.
    Encryption certificates OTOH need to be archived so that one can use them
    for decryption.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    The faulty interface lies between the chair and the keyboard.

    Monday, March 19, 2012 4:30 AM
  • So....

    How to delete archived certificates that are stored on my certificate store using the certutil command?

    How do you do it if you REALLY want to?

    Here is the PowerShell code to remove expired and archived certificates from the "My" store:

      (Thanks to Brian Wilson for helping me with the code!)

    $store = New-Object  System.Security.Cryptography.X509Certificates.X509Store "My","CurrentUser"

    $MaxAllowedIncludeArchive = ([System.Security.Cryptography.X509Certificates.openflags]::MaxAllowed –bor [System.Security.Cryptography.X509Certificates.openflags]::IncludeArchived)

    $store.Open($MaxAllowedIncludeArchive)

    [System.Security.Cryptography.X509Certificates.X509Certificate2Collection] $certificates = $store.certificates

    foreach ($cert in $certificates)

     {

      Write-Host "Analyzing: " -NoNewline; Write-Host $cert.IssuerName -NoNewline; Write-Host $cert.NotAfter -NoNewline; Write-Host $cert.Archived -NoNewline

       if (($cert.notAfter -lt (Get-Date)) -or ($cert.Archived))

         {

               Write-Host " :Removing"-NoNewline

            $store.Remove($cert)

         }

      Write-Host

     }

    $store.Close()


    Tuesday, March 20, 2012 3:38 PM
  • You just have to do from a command line :

    • Certutil –deleterow 01/07/2010 cert
    • Certutil –deleterow 01/07/2010 crl
    Monday, July 1, 2013 2:28 PM
  • Certutil -viewstore MY

    Certutil -delstore MY <sertificate serial number>

    the first command will show you the ARCHIVED certificate with its serial number

    the second command will allow you to delete this.

    we had some issues with this and NDES startup, after renewing the certificate we got EventID 10

    Thursday, October 3, 2013 7:58 AM