Answered by:
How to delete archived certificates using the certutil command?

Question
-
Answers
-
So....
How to delete archived certificates that are stored on my certificate store using the certutil command?
How do you do it if you REALLY want to?
Here is the PowerShell code to remove expired and archived certificates from the "My" store:
(Thanks to Brian Wilson for helping me with the code!)$store = New-Object System.Security.Cryptography.X509Certificates.X509Store "My","CurrentUser"
$MaxAllowedIncludeArchive = ([System.Security.Cryptography.X509Certificates.openflags]::MaxAllowed –bor [System.Security.Cryptography.X509Certificates.openflags]::IncludeArchived)
$store.Open($MaxAllowedIncludeArchive)
[System.Security.Cryptography.X509Certificates.X509Certificate2Collection] $certificates = $store.certificates
foreach ($cert in $certificates)
{
Write-Host "Analyzing: " -NoNewline; Write-Host $cert.IssuerName -NoNewline; Write-Host $cert.NotAfter -NoNewline; Write-Host $cert.Archived -NoNewline
if (($cert.notAfter -lt (Get-Date)) -or ($cert.Archived))
{
Write-Host " :Removing"-NoNewline
$store.Remove($cert)
}
Write-Host
}
$store.Close()
- Proposed as answer by Stephen Druessel Wednesday, March 21, 2012 2:41 PM
- Edited by Stephen Druessel Wednesday, March 21, 2012 2:46 PM
- Marked as answer by Bruce-Liu Monday, March 26, 2012 1:56 AM
All replies
-
Hi,
Archived are certificates that have expired or have been renewed. In many cases, it is good practice to retain archived certificates instead of deleting them. For example, you would need to keep an archived certificate to verify digital signatures on old documents signed using the key on the now-expired or renewed certificate.
-
On Mon, 19 Mar 2012 02:58:32 +0000, Bruce-Liu wrote:
For example, you would need to keep an archived certificate to verify digital signatures on old documents signed using the key on the now-expired or renewed certificate.
No, signing certificates don't need to be archived for this to happen.
Encryption certificates OTOH need to be archived so that one can use them
for decryption.
Paul Adare
MVP - Forefront Identity Manager
http://www.identit.ca
The faulty interface lies between the chair and the keyboard. -
So....
How to delete archived certificates that are stored on my certificate store using the certutil command?
How do you do it if you REALLY want to?
Here is the PowerShell code to remove expired and archived certificates from the "My" store:
(Thanks to Brian Wilson for helping me with the code!)$store = New-Object System.Security.Cryptography.X509Certificates.X509Store "My","CurrentUser"
$MaxAllowedIncludeArchive = ([System.Security.Cryptography.X509Certificates.openflags]::MaxAllowed –bor [System.Security.Cryptography.X509Certificates.openflags]::IncludeArchived)
$store.Open($MaxAllowedIncludeArchive)
[System.Security.Cryptography.X509Certificates.X509Certificate2Collection] $certificates = $store.certificates
foreach ($cert in $certificates)
{
Write-Host "Analyzing: " -NoNewline; Write-Host $cert.IssuerName -NoNewline; Write-Host $cert.NotAfter -NoNewline; Write-Host $cert.Archived -NoNewline
if (($cert.notAfter -lt (Get-Date)) -or ($cert.Archived))
{
Write-Host " :Removing"-NoNewline
$store.Remove($cert)
}
Write-Host
}
$store.Close()
- Proposed as answer by Stephen Druessel Wednesday, March 21, 2012 2:41 PM
- Edited by Stephen Druessel Wednesday, March 21, 2012 2:46 PM
- Marked as answer by Bruce-Liu Monday, March 26, 2012 1:56 AM
-
-
Certutil -viewstore MY
Certutil -delstore MY <sertificate serial number>
the first command will show you the ARCHIVED certificate with its serial number
the second command will allow you to delete this.
we had some issues with this and NDES startup, after renewing the certificate we got EventID 10