Solved

Command Line function to delete security certs

Posted on 2010-11-12
23
1,646 Views
Last Modified: 2012-05-10
Morning, I am looking for a faster way to delete security certs on a remote machine. Currently I use MMC and load up the security certificates from the remote machine. I am looking to script it out so it is easier and way faster.

Currently i use MMC and use the certificates snap-in, connect to the remote machine in question and then right click and delete the invalid certificates.

Does anyone know what comamnd that is to use?
0
Comment
Question by:nightcasino
  • 12
  • 9
  • 2
23 Comments
 

Author Comment

by:nightcasino
ID: 34120741
I should also add this is for Windows XP Pro. in the certificates we click on the machine name\personal then certificates.
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34120751
google for certutil - this should be able to add and remove certificates automatically for you
0
 

Author Comment

by:nightcasino
ID: 34120848
That appears to be server side.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34120878
it's available on my windows 7 machine
0
 

Author Comment

by:nightcasino
ID: 34120952
I have windows xp. :-(
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34120988
can you install the windows 2003 server administration pack? This includes certutil for xp..
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121010
This may also prove useful but I can't see a way of doing this without deploying something to the client machines. At least this is only a single exe:

http://weblogs.asp.net/hernandl/archive/2005/02/09/WinHttpCertCfgTool.aspx
0
 

Author Comment

by:nightcasino
ID: 34121341
Im going to try installing the server pack. Also thanks for the info on the winhttp but I can't install on the target machines due to security.

My only hope now is if certutil can remotely run on a target machine.
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121370
how are you going to execute it remotely?

I'm assuming you are administrating a number of machines across a network, domain controlled?

No probs, good luck!
0
 

Author Comment

by:nightcasino
ID: 34121406
Yes, I would really like to just make a simple batch script to run on a single machine. We are having issues with the old expired one and our windows machines not moving to the current one.

All machines are on the domain.

You love it If it was as simple is like SC \\machine query haha
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121535
you could rollout the server admin pack and then the certutil command via a logon script? that way it runs on the client and covers both requirements in one hit.

definitely!
0
 

Author Comment

by:nightcasino
ID: 34121548
Well the best news is that it is already installed on the target machines. I'm just trying to figure out how to use it. I'm used to seeing the names of the certs. Can't seem to figure that one out.
0
 

Author Comment

by:nightcasino
ID: 34121644
I cannot for the life of me get it to display the certs like they do in MCC.
Under \\machinename\personal\certificates
it says issued to, issued by, expire date, intended purpose, provided by.
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121718
this is a pretty comprehensive guide on using certutil.

http://technet.microsoft.com/en-us/library/cc772898(WS.10).aspx#BKMK_ver_certs_store

what is the certificate for?
0
 

Author Comment

by:nightcasino
ID: 34121744
there is a cert titled the machine name used for client authentication that we need to delete to let a required one be the only one listed. then the wireless connections work again.
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121778
you need to figure out which store your certificate is in (you can use certutil -viewstore). once you've found it you can get the certificate index and pass it in to the -delstore command switch - if you have a look at the link I sent, one of the last sections is for deleting certificates from both the local machine store and the current user store.

what happens if you just type certutil? what data do you get out? on my windows 7 machine (i dont have xp to hand) it gives me a list of all of the certificates installed on my machine across all stores..
0
 

Author Comment

by:nightcasino
ID: 34121819
ill try the certutil -viewstore command and see.

Well on my local machine it pulls the list of certs as i would expect. on the target machine using psexec it displays just numbers like this:
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
417.329.0: 0x80070002 (WIN32: 2)
417.596.0: 0x80070002 (WIN32: 2)
then on the bottom of the deal it says:
CertUtil: The system cannot find the file specified.
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121841
hmm. sounds like you might need to get the process up and running directly on one of the boxes and push out via a logon script..

what are those numbers? are they cert id's? can you get any more information on a cert by cert basis using any other command switches..?
0
 

Author Comment

by:nightcasino
ID: 34121847
ahh see you cant run the -viewstore command using psexec becuase it actually pops up a menu.
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 34123253
Are you only wanting to delete expired certificates? Or all personal certificates?
0
 

Author Comment

by:nightcasino
ID: 34123602
Well specific personal ones. Mainly there is a personal cert titled the machine name.
0
 
LVL 21

Accepted Solution

by:
AmazingTech earned 500 total points
ID: 34124655
Actually all personal certificates are stored in your user profile and certificates usually have the same filename per certificate.

So to see your own personal certificates run this:

dir /b /a "%AppData%\Microsoft\SystemCertificates\My\Certificates"

So once you figured out this filename you could delete them all.

del /a /s "C:\Documents and Settings\123B23F2323E232A64743D243453B234924"

Or of course remotely

del /a /s "\\RemoteComputer\C$\Documents and Settings\123B23F2323E232A64743D243453B234924"

Heard you laughing 11/12/10 07:37 AM, ID: 34121406 but it could actually be really simple.
0
 

Author Comment

by:nightcasino
ID: 34129276
nothing seems to be there. i get no results when searching for the certificates. :-(
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

VALIDATING DATES One method of validating dates is to jam the date into the DATE command and see if it accepts it by examining the system's errorlevel value. A non-zero result indicates failure. A typical example might look something like the fol…
Background Still having to process all these year-end "csv" files received from all these sources (including Government entities), sometimes we have the need to examine the contents due to data error, etc... As a "Unix" shop, our only readily …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question