rouge certificates

I have rouge certificates on  my window machines. I have decommed allot some old CA root servers and applications that required ssl.

Under any windows machines if i view certificates I see tons of certs that we don't use it anymore.

How do I clean it up globally?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What do you mean? Is this a locally issued certificate?  You can always revoke it. but since you've decommissioned the CAs that issued those certificates, you can not.  Is there a problem you wish to address/correct by clearing the certificates out?

You may want to explore the certificate tool and use it within a startup script to remove the certificate (certmgr).
Shreedhar EtteCommented:
ParanormasticCryptographic EngineerCommented:
A) Dont' worry about it (at least as far as the client certs go) - as long as you get the roots to no longer be trusted you should be fine.  For getting the old roots out - look at GPO and you could get the serial number of each root and run 'certutil -delstore root serialnumber' as a logon script.  

If there is a security concern about needing to actually put them into the "Untrusted root" store let me know.  Usually just a rogue CA isn't enough to do that unless it was done with malicious intent.  Not trusting the root is usually good enough, but you need to Untrust a malicious installation.

B) If you're just talking about a few boxes with a lot of certs, open Certificates MMC snapin under the Current User and/or Local Computer (need to open once for each to manage both).  You could then locate the undesired certs and remove them in bulk that way manually (use the shift or clt key to select multiple, of course, to speed things up a little bit).

C) If there are a large number of certs on a large number of machines, you could do some scripting, but this would be a bit of a hassle if it is not actually causing performance issues.

run 'certutil -store my >> z:\share\%computername%.log' for computer certs or 'certutil -user -store my >> z:\share\%username%_%computername%.log' for user certs.  If you're any good with VB (not my specialty) you could probably whip something up to parse through it looking for whatever is interesting data (e.g. "issued from: root ca name") and have it log the username/computername from the filename and the serial number or thumbprint hash of the cert, you could then have it run on the client as 'certutil -delstore my pasteserialnumber' (can use the hash in the serial number space if desired), add the -user tag as before if for a user cert.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.