Command Line function to delete security certs

Morning, I am looking for a faster way to delete security certs on a remote machine. Currently I use MMC and load up the security certificates from the remote machine. I am looking to script it out so it is easier and way faster.

Currently i use MMC and use the certificates snap-in, connect to the remote machine in question and then right click and delete the invalid certificates.

Does anyone know what comamnd that is to use?
nightcasinoAsked:
Who is Participating?
 
AmazingTechConnect With a Mentor Commented:
Actually all personal certificates are stored in your user profile and certificates usually have the same filename per certificate.

So to see your own personal certificates run this:

dir /b /a "%AppData%\Microsoft\SystemCertificates\My\Certificates"

So once you figured out this filename you could delete them all.

del /a /s "C:\Documents and Settings\123B23F2323E232A64743D243453B234924"

Or of course remotely

del /a /s "\\RemoteComputer\C$\Documents and Settings\123B23F2323E232A64743D243453B234924"

Heard you laughing 11/12/10 07:37 AM, ID: 34121406 but it could actually be really simple.
0
 
nightcasinoAuthor Commented:
I should also add this is for Windows XP Pro. in the certificates we click on the machine name\personal then certificates.
0
 
aaronrhodesCommented:
google for certutil - this should be able to add and remove certificates automatically for you
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
nightcasinoAuthor Commented:
That appears to be server side.
0
 
aaronrhodesCommented:
it's available on my windows 7 machine
0
 
nightcasinoAuthor Commented:
I have windows xp. :-(
0
 
aaronrhodesCommented:
can you install the windows 2003 server administration pack? This includes certutil for xp..
0
 
aaronrhodesCommented:
This may also prove useful but I can't see a way of doing this without deploying something to the client machines. At least this is only a single exe:

http://weblogs.asp.net/hernandl/archive/2005/02/09/WinHttpCertCfgTool.aspx
0
 
nightcasinoAuthor Commented:
Im going to try installing the server pack. Also thanks for the info on the winhttp but I can't install on the target machines due to security.

My only hope now is if certutil can remotely run on a target machine.
0
 
aaronrhodesCommented:
how are you going to execute it remotely?

I'm assuming you are administrating a number of machines across a network, domain controlled?

No probs, good luck!
0
 
nightcasinoAuthor Commented:
Yes, I would really like to just make a simple batch script to run on a single machine. We are having issues with the old expired one and our windows machines not moving to the current one.

All machines are on the domain.

You love it If it was as simple is like SC \\machine query haha
0
 
aaronrhodesCommented:
you could rollout the server admin pack and then the certutil command via a logon script? that way it runs on the client and covers both requirements in one hit.

definitely!
0
 
nightcasinoAuthor Commented:
Well the best news is that it is already installed on the target machines. I'm just trying to figure out how to use it. I'm used to seeing the names of the certs. Can't seem to figure that one out.
0
 
nightcasinoAuthor Commented:
I cannot for the life of me get it to display the certs like they do in MCC.
Under \\machinename\personal\certificates
it says issued to, issued by, expire date, intended purpose, provided by.
0
 
aaronrhodesCommented:
this is a pretty comprehensive guide on using certutil.

http://technet.microsoft.com/en-us/library/cc772898(WS.10).aspx#BKMK_ver_certs_store

what is the certificate for?
0
 
nightcasinoAuthor Commented:
there is a cert titled the machine name used for client authentication that we need to delete to let a required one be the only one listed. then the wireless connections work again.
0
 
aaronrhodesCommented:
you need to figure out which store your certificate is in (you can use certutil -viewstore). once you've found it you can get the certificate index and pass it in to the -delstore command switch - if you have a look at the link I sent, one of the last sections is for deleting certificates from both the local machine store and the current user store.

what happens if you just type certutil? what data do you get out? on my windows 7 machine (i dont have xp to hand) it gives me a list of all of the certificates installed on my machine across all stores..
0
 
nightcasinoAuthor Commented:
ill try the certutil -viewstore command and see.

Well on my local machine it pulls the list of certs as i would expect. on the target machine using psexec it displays just numbers like this:
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
417.329.0: 0x80070002 (WIN32: 2)
417.596.0: 0x80070002 (WIN32: 2)
then on the bottom of the deal it says:
CertUtil: The system cannot find the file specified.
0
 
aaronrhodesCommented:
hmm. sounds like you might need to get the process up and running directly on one of the boxes and push out via a logon script..

what are those numbers? are they cert id's? can you get any more information on a cert by cert basis using any other command switches..?
0
 
nightcasinoAuthor Commented:
ahh see you cant run the -viewstore command using psexec becuase it actually pops up a menu.
0
 
AmazingTechCommented:
Are you only wanting to delete expired certificates? Or all personal certificates?
0
 
nightcasinoAuthor Commented:
Well specific personal ones. Mainly there is a personal cert titled the machine name.
0
 
nightcasinoAuthor Commented:
nothing seems to be there. i get no results when searching for the certificates. :-(
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.