Solved

Command Line function to delete security certs

Posted on 2010-11-12
23
1,561 Views
Last Modified: 2012-05-10
Morning, I am looking for a faster way to delete security certs on a remote machine. Currently I use MMC and load up the security certificates from the remote machine. I am looking to script it out so it is easier and way faster.

Currently i use MMC and use the certificates snap-in, connect to the remote machine in question and then right click and delete the invalid certificates.

Does anyone know what comamnd that is to use?
0
Comment
Question by:nightcasino
  • 12
  • 9
  • 2
23 Comments
 

Author Comment

by:nightcasino
ID: 34120741
I should also add this is for Windows XP Pro. in the certificates we click on the machine name\personal then certificates.
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34120751
google for certutil - this should be able to add and remove certificates automatically for you
0
 

Author Comment

by:nightcasino
ID: 34120848
That appears to be server side.
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34120878
it's available on my windows 7 machine
0
 

Author Comment

by:nightcasino
ID: 34120952
I have windows xp. :-(
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34120988
can you install the windows 2003 server administration pack? This includes certutil for xp..
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121010
This may also prove useful but I can't see a way of doing this without deploying something to the client machines. At least this is only a single exe:

http://weblogs.asp.net/hernandl/archive/2005/02/09/WinHttpCertCfgTool.aspx
0
 

Author Comment

by:nightcasino
ID: 34121341
Im going to try installing the server pack. Also thanks for the info on the winhttp but I can't install on the target machines due to security.

My only hope now is if certutil can remotely run on a target machine.
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121370
how are you going to execute it remotely?

I'm assuming you are administrating a number of machines across a network, domain controlled?

No probs, good luck!
0
 

Author Comment

by:nightcasino
ID: 34121406
Yes, I would really like to just make a simple batch script to run on a single machine. We are having issues with the old expired one and our windows machines not moving to the current one.

All machines are on the domain.

You love it If it was as simple is like SC \\machine query haha
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121535
you could rollout the server admin pack and then the certutil command via a logon script? that way it runs on the client and covers both requirements in one hit.

definitely!
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:nightcasino
ID: 34121548
Well the best news is that it is already installed on the target machines. I'm just trying to figure out how to use it. I'm used to seeing the names of the certs. Can't seem to figure that one out.
0
 

Author Comment

by:nightcasino
ID: 34121644
I cannot for the life of me get it to display the certs like they do in MCC.
Under \\machinename\personal\certificates
it says issued to, issued by, expire date, intended purpose, provided by.
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121718
this is a pretty comprehensive guide on using certutil.

http://technet.microsoft.com/en-us/library/cc772898(WS.10).aspx#BKMK_ver_certs_store

what is the certificate for?
0
 

Author Comment

by:nightcasino
ID: 34121744
there is a cert titled the machine name used for client authentication that we need to delete to let a required one be the only one listed. then the wireless connections work again.
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121778
you need to figure out which store your certificate is in (you can use certutil -viewstore). once you've found it you can get the certificate index and pass it in to the -delstore command switch - if you have a look at the link I sent, one of the last sections is for deleting certificates from both the local machine store and the current user store.

what happens if you just type certutil? what data do you get out? on my windows 7 machine (i dont have xp to hand) it gives me a list of all of the certificates installed on my machine across all stores..
0
 

Author Comment

by:nightcasino
ID: 34121819
ill try the certutil -viewstore command and see.

Well on my local machine it pulls the list of certs as i would expect. on the target machine using psexec it displays just numbers like this:
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
417.329.0: 0x80070002 (WIN32: 2)
417.596.0: 0x80070002 (WIN32: 2)
then on the bottom of the deal it says:
CertUtil: The system cannot find the file specified.
0
 
LVL 1

Expert Comment

by:aaronrhodes
ID: 34121841
hmm. sounds like you might need to get the process up and running directly on one of the boxes and push out via a logon script..

what are those numbers? are they cert id's? can you get any more information on a cert by cert basis using any other command switches..?
0
 

Author Comment

by:nightcasino
ID: 34121847
ahh see you cant run the -viewstore command using psexec becuase it actually pops up a menu.
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 34123253
Are you only wanting to delete expired certificates? Or all personal certificates?
0
 

Author Comment

by:nightcasino
ID: 34123602
Well specific personal ones. Mainly there is a personal cert titled the machine name.
0
 
LVL 21

Accepted Solution

by:
AmazingTech earned 500 total points
ID: 34124655
Actually all personal certificates are stored in your user profile and certificates usually have the same filename per certificate.

So to see your own personal certificates run this:

dir /b /a "%AppData%\Microsoft\SystemCertificates\My\Certificates"

So once you figured out this filename you could delete them all.

del /a /s "C:\Documents and Settings\123B23F2323E232A64743D243453B234924"

Or of course remotely

del /a /s "\\RemoteComputer\C$\Documents and Settings\123B23F2323E232A64743D243453B234924"

Heard you laughing 11/12/10 07:37 AM, ID: 34121406 but it could actually be really simple.
0
 

Author Comment

by:nightcasino
ID: 34129276
nothing seems to be there. i get no results when searching for the certificates. :-(
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Introduction: Recently, I got a requirement to zip all files individually with batch file script in Windows OS. I don't know much about scripting, but I searched Google and found a lot of examples and websites to complete my task. Finally, I was ab…
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now