rouge certificates

I have rouge certificates on  my window machines. I have decommed allot some old CA root servers and applications that required ssl.

Under any windows machines if i view certificates I see tons of certs that we don't use it anymore.

How do I clean it up globally?
Who is Participating?
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
A) Dont' worry about it (at least as far as the client certs go) - as long as you get the roots to no longer be trusted you should be fine.  For getting the old roots out - look at GPO and you could get the serial number of each root and run 'certutil -delstore root serialnumber' as a logon script.  

If there is a security concern about needing to actually put them into the "Untrusted root" store let me know.  Usually just a rogue CA isn't enough to do that unless it was done with malicious intent.  Not trusting the root is usually good enough, but you need to Untrust a malicious installation.

B) If you're just talking about a few boxes with a lot of certs, open Certificates MMC snapin under the Current User and/or Local Computer (need to open once for each to manage both).  You could then locate the undesired certs and remove them in bulk that way manually (use the shift or clt key to select multiple, of course, to speed things up a little bit).

C) If there are a large number of certs on a large number of machines, you could do some scripting, but this would be a bit of a hassle if it is not actually causing performance issues.

run 'certutil -store my >> z:\share\%computername%.log' for computer certs or 'certutil -user -store my >> z:\share\%username%_%computername%.log' for user certs.  If you're any good with VB (not my specialty) you could probably whip something up to parse through it looking for whatever is interesting data (e.g. "issued from: root ca name") and have it log the username/computername from the filename and the serial number or thumbprint hash of the cert, you could then have it run on the client as 'certutil -delstore my pasteserialnumber' (can use the hash in the serial number space if desired), add the -user tag as before if for a user cert.
What do you mean? Is this a locally issued certificate?  You can always revoke it. but since you've decommissioned the CAs that issued those certificates, you can not.  Is there a problem you wish to address/correct by clearing the certificates out?

You may want to explore the certificate tool and use it within a startup script to remove the certificate (certmgr).
Shreedhar EtteCommented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.