How to delete archived certificates using the certutil command?

All replies

• 

  

  0

  Sign in to vote

  Hi,

  Archived are certificates that have expired or have been renewed. In many cases, it is good practice to retain archived certificates instead of deleting them. For example, you would need to keep an archived certificate to verify digital signatures on old documents signed using the key on the now-expired or renewed certificate.

  Monday, March 19, 2012 2:58 AM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  On Mon, 19 Mar 2012 02:58:32 +0000, Bruce-Liu wrote:

  For example, you would need to keep an archived certificate to verify digital signatures on old documents signed using the key on the now-expired or renewed certificate.

  No, signing certificates don't need to be archived for this to happen.
  Encryption certificates OTOH need to be archived so that one can use them
  for decryption.

  ---

  Paul Adare
  MVP - Forefront Identity Manager
  http://www.identit.ca
  The faulty interface lies between the chair and the keyboard.

  Monday, March 19, 2012 4:30 AM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  So....

  How to delete archived certificates that are stored on my certificate store using the certutil command?

  How do you do it if you REALLY want to?

  Here is the PowerShell code to remove expired and archived certificates from the "My" store:

    (Thanks to Brian Wilson for helping me with the code!)

  $store = New-Object  System.Security.Cryptography.X509Certificates.X509Store "My","CurrentUser"

  $MaxAllowedIncludeArchive = ([System.Security.Cryptography.X509Certificates.openflags]::MaxAllowed –bor [System.Security.Cryptography.X509Certificates.openflags]::IncludeArchived)

  $store.Open($MaxAllowedIncludeArchive)

  [System.Security.Cryptography.X509Certificates.X509Certificate2Collection] $certificates = $store.certificates

  foreach ($cert in $certificates)

   {

    Write-Host "Analyzing: " -NoNewline; Write-Host $cert.IssuerName -NoNewline; Write-Host $cert.NotAfter -NoNewline; Write-Host $cert.Archived -NoNewline

     if (($cert.notAfter -lt (Get-Date)) -or ($cert.Archived))

       {

             Write-Host " :Removing"-NoNewline

          $store.Remove($cert)

       }

    Write-Host

   }

  $store.Close()

  
  

  • Proposed as answer by Stephen Druessel Wednesday, March 21, 2012 2:41 PM
  • Edited by Stephen Druessel Wednesday, March 21, 2012 2:46 PM
  • Marked as answer by Bruce-Liu Monday, March 26, 2012 1:56 AM

  Tuesday, March 20, 2012 3:38 PM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  You just have to do from a command line :

  • Certutil –deleterow 01/07/2010 cert
  • Certutil –deleterow 01/07/2010 crl

  Monday, July 1, 2013 2:28 PM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Certutil -viewstore MY

  Certutil -delstore MY <sertificate serial number>

  the first command will show you the ARCHIVED certificate with its serial number

  the second command will allow you to delete this.

  we had some issues with this and NDES startup, after renewing the certificate we got EventID 10

  Thursday, October 3, 2013 7:58 AM

  Reply

  |

  Quote