ZUNO
asked on
How to remove computer certificate from the local store
Hello,
we have by error enrolled 2 computer certificates of the same kind to all workstations within our company. They were both made from "Computer Certificate Template" and each one is named differently. My question is how can I delete from all workstations certificate created from "Template Y" without touching certificate from "Template X"?
thanks in advice
Capture.PNG
we have by error enrolled 2 computer certificates of the same kind to all workstations within our company. They were both made from "Computer Certificate Template" and each one is named differently. My question is how can I delete from all workstations certificate created from "Template Y" without touching certificate from "Template X"?
thanks in advice
Capture.PNG
ASKER
Hi,
I have performed following operation "get-ChildItem cert:LocalMachine\My" but from this output I cannot distinguish which certificate is from desired template.
Is there any way how can I filter out certificate only from my desired template? Otherwise this command will be useless for me as I need to run a start-up script for automatic deletion specified certificate from all PCs.
I have performed following operation "get-ChildItem cert:LocalMachine\My" but from this output I cannot distinguish which certificate is from desired template.
PS H:\> get-ChildItem cert:LocalMachine\My
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
541542F127F98522C372A82004F76D3716BBE814
115443E2E2EC110D6032EA0C022B5343B770D678Is there any way how can I filter out certificate only from my desired template? Otherwise this command will be useless for me as I need to run a start-up script for automatic deletion specified certificate from all PCs.
Normally, you should be able to just differentiate them by the expiration date. In your screenshot, they clearly have different ones.
If you are not sure, then your best bet is to just delete them both and then install the one you want on *one* machine. That will tell you the expiration date, and then you will know which one to delete off of the other machines.
Coralon
If you are not sure, then your best bet is to just delete them both and then install the one you want on *one* machine. That will tell you the expiration date, and then you will know which one to delete off of the other machines.
Coralon
ASKER
Hi Coralon,
thanks for your reply but unfortunately this in not possible as we are using DOT1x and those certificates are used to authenticate computer in our network. This means if non of them will be found you are not authorised to access corporate network.
thanks for your reply but unfortunately this in not possible as we are using DOT1x and those certificates are used to authenticate computer in our network. This means if non of them will be found you are not authorised to access corporate network.
get-ChildItem cert:LocalMachine\My | Select *It's easy enough to revoke all the certificates that have been issued from a particular template through the MMC on the CA, but this won't actually delete the certs.
That's why I was saying to try it on one machine. Since you do require it in order to access your network, then it's still entirely possible.
Take that 1 machine, change the local admin password, or add a local admin account. Remove both certs. Then add the oldest one back and see if you can login to the network. If that doesn't work, swap them out, and you should be good to go. You'll be able to use the local account in order to login to swap out the certs.
Coralon
Take that 1 machine, change the local admin password, or add a local admin account. Remove both certs. Then add the oldest one back and see if you can login to the network. If that doesn't work, swap them out, and you should be good to go. You'll be able to use the local account in order to login to swap out the certs.
Coralon
ASKER
Hi footech, I have tried your command and now I see all the info I need. Currently I would need some script/command that will do the following
"delete cert from cert:LocalMachine\My where SerialNumber = 123456"
Is there anything like this? Or
"delete cert from cert:LocalMachine\My where TemplatName = TemplateX"
Coralon for some unknown reason I'm not able to delete those certs - still getting an error. I have tested it with local user account on test computer, with Local admin account on test computer, with Enterprise admin account on another computer and those certs are still there :-/
I have never worked with PowerShell so what am I doing wrong?
"delete cert from cert:LocalMachine\My where SerialNumber = 123456"
Is there anything like this? Or
"delete cert from cert:LocalMachine\My where TemplatName = TemplateX"
Coralon for some unknown reason I'm not able to delete those certs - still getting an error. I have tested it with local user account on test computer, with Local admin account on test computer, with Enterprise admin account on another computer and those certs are still there :-/
I have never worked with PowerShell so what am I doing wrong?
PS C:\> get-childitem cert:\LocalMachine\My
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
541542F127F98522C372A82004F76D3716BBE814
115443E2E2EC110D6032EA0C022B5343B770D678
PS C:\> remove-item cert:\LocalMachine\My\
Confirm
The item at cert:\LocalMachine\My\ has children and the Recurse parameter was not specified. If you continue, all
children will be removed with the item. Are you sure you want to continue?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
Remove-Item : Provider execution stopped because the provider does not support this operation.
At line:1 char:12
+ remove-item <<<< cert:\LocalMachine\My\
+ CategoryInfo : NotImplemented: (:) [Remove-Item], PSNotSupportedException
+ FullyQualifiedErrorId : NotSupported,Microsoft.PowerShell.Commands.RemoveItemCommand
PS C:\>
PS C:\> PS C:\>get-childitem cert:\LocalMachine\My\541542F127F98522C372A82004F76D3716BBE814
Get-Process : A positional parameter cannot be found that accepts argument 'cert:\LocalMachine\My\541542F127F98522C372A
82004F76D3716BBE814'.
At line:1 char:3
+ PS <<<< C:\>get-childitem cert:\LocalMachine\My\541542F127F98522C372A82004F76D3716BBE814
+ CategoryInfo : InvalidArgument: (:) [Get-Process], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetProcessCommand
PS C:\>ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You couldn't delete it with the local admin? That seems really odd.. I'm talking about doing this graphically with the certificates MMC. If it was still locked, I'd remove the network cable, reboot it, and try again from the console of the machine.
Coralon
Coralon
ASKER
Hi footech,
your script works like a charm :) I just changed one parameter to met my expiration date.
{$_.NotBefore -lt "7/20/2012"} => {$_.NotAfter -gt "1/1/2015"}
thanks for your help
your script works like a charm :) I just changed one parameter to met my expiration date.
{$_.NotBefore -lt "7/20/2012"} => {$_.NotAfter -gt "1/1/2015"}
thanks for your help
http://technet.microsoft.com/en-us/library/hh847855.aspx