[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

How to remove computer certificate from the local store

Posted on 2013-01-31
12
Medium Priority
?
6,635 Views
1 Endorsement
Last Modified: 2013-02-13
Hello,

we have by error enrolled 2 computer certificates of the same kind to all workstations within our company. They were both made from "Computer Certificate Template" and each one is named differently. My question is how can I delete from all workstations certificate created from "Template Y" without touching certificate from "Template X"?

thanks in advice
Capture.PNG
1
Comment
Question by:ZUNO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
12 Comments
 

Expert Comment

by:ndr-itsolutions
ID: 38840078
You could use Powershell to remove the certificates, have a look at the following article:

http://technet.microsoft.com/en-us/library/hh847855.aspx
0
 

Author Comment

by:ZUNO
ID: 38854857
Hi,

I have performed following operation "get-ChildItem cert:LocalMachine\My" but from this output I cannot distinguish which certificate is from desired template.

PS H:\> get-ChildItem cert:LocalMachine\My


    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My


Thumbprint                                Subject
----------                                -------
541542F127F98522C372A82004F76D3716BBE814
115443E2E2EC110D6032EA0C022B5343B770D678

Open in new window

I checked manually that Thumbprint 541542F127F98522C372A82004F76D3716BBE814 corresponds to certificate I want to delete but it differs on every single PC.

Is there any way how can I filter out certificate only from my desired template? Otherwise this command will be useless for me as I need to run a start-up script for automatic deletion specified certificate from all PCs.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 38866733
Normally, you should be able to just differentiate them by the expiration date.  In your screenshot, they clearly have different ones.  

If you are not sure, then your best bet is to just delete them both and then install the one you want on *one* machine.  That will tell you the expiration date, and then you will know which one to delete off of the other machines.

Coralon
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:ZUNO
ID: 38867306
Hi Coralon,

thanks for your reply but unfortunately this in not possible as we are using DOT1x and those certificates are used to authenticate computer in our network. This means if non of them will be found you are not authorised to access corporate network.
0
 
LVL 41

Expert Comment

by:footech
ID: 38868890
get-ChildItem cert:LocalMachine\My | Select *

Open in new window

Running the above will show you all the properties that you have access to.  I have no first hand experience with it myself, but from my knowledge the only practical way to manage local certificates with PowerShell is to use the Quest cmdlets.

It's easy enough to revoke all the certificates that have been issued from a particular template through the MMC on the CA, but this won't actually delete the certs.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 38870351
That's why I was saying to try it on one machine.  Since you do require it in order to access your network, then it's still entirely possible.

Take that 1 machine, change the local admin password, or add a local admin account.  Remove both certs.  Then add the oldest one back and see if you can login to the network.  If that doesn't work, swap them out, and you should be good to go.  You'll be able to use the local account in order to login to swap out the certs.

Coralon
0
 

Author Comment

by:ZUNO
ID: 38879378
Hi footech, I have tried your command and now I see all the info I need. Currently I would need some script/command that will do the following  
"delete cert from cert:LocalMachine\My where SerialNumber = 123456"  

Is there anything like this? Or

"delete cert from cert:LocalMachine\My where TemplatName = TemplateX"


Coralon for some unknown reason I'm not able to delete those certs - still getting an error. I have tested it with local user account on test computer, with Local admin account on test computer, with Enterprise admin account on another computer and those certs are still there :-/

I have never worked with PowerShell so what am I doing wrong?

PS C:\> get-childitem cert:\LocalMachine\My


    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My


Thumbprint                                Subject
----------                                -------
541542F127F98522C372A82004F76D3716BBE814
115443E2E2EC110D6032EA0C022B5343B770D678


PS C:\> remove-item cert:\LocalMachine\My\

Confirm
The item at cert:\LocalMachine\My\ has children and the Recurse parameter was not specified. If you continue, all
children will be removed with the item. Are you sure you want to continue?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
Remove-Item : Provider execution stopped because the provider does not support this operation.
At line:1 char:12
+ remove-item <<<<  cert:\LocalMachine\My\
    + CategoryInfo          : NotImplemented: (:) [Remove-Item], PSNotSupportedException
    + FullyQualifiedErrorId : NotSupported,Microsoft.PowerShell.Commands.RemoveItemCommand

PS C:\>




PS C:\> PS C:\>get-childitem cert:\LocalMachine\My\541542F127F98522C372A82004F76D3716BBE814
Get-Process : A positional parameter cannot be found that accepts argument 'cert:\LocalMachine\My\541542F127F98522C372A
82004F76D3716BBE814'.
At line:1 char:3
+ PS <<<<  C:\>get-childitem cert:\LocalMachine\My\541542F127F98522C372A82004F76D3716BBE814
    + CategoryInfo          : InvalidArgument: (:) [Get-Process], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetProcessCommand

PS C:\>

Open in new window

0
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 38882045
PS 2.0 doesn't really support removing certs with built-in cmdlets (see http://technet.microsoft.com/en-us/library/hh847807.aspx ), though I have found a work-around.
Since "serialnumber" is actually a property that we have access to, we could match against that, but no certificate should have the same serial number, so I don't see it being much use in the long run.  There is no attribute for Template name and I don't know how the snap-in determines this.  I did some digging and there is some related info in a certificate's extensions, but running a command like the following - I don't see a match between any of the values (which looks like an OID) and numbers I could see in the templates.  It appears that the OID actually matches with the template version.
gci cert:\LocalMachine\My | % {$_.extensions} | % {$_.oid | ? {$_.FriendlyName -like "Certificate Template*" }}

Open in new window

Here's some PS code you can use to remove a certificate, but I'm still not sure what criteria you would use to filter the list.  I'm kind of thinking expiration (or start) date might be best, but that depends on your environment (if there was a clear separation between certificates issued with one template vs. another).
$store = New-Object System.Security.Cryptography.x509Certificates.x509Store("My","LocalMachine")
$store.Open("ReadWrite")
# Need some criteria here to filter the list of certificates appropriately
$certs = $store.Certificates | Where {$_.NotBefore -lt "7/20/2012"}
ForEach ($cert in $certs)
{
  $store.Remove($cert)
}
$store.Close()

Open in new window

0
 
LVL 25

Expert Comment

by:Coralon
ID: 38883036
You couldn't delete it with the local admin?  That seems really odd.. I'm talking about doing this graphically with the certificates MMC. If it was still locked, I'd remove the network cable, reboot it, and try again from the console of the machine.

Coralon
0
 

Author Comment

by:ZUNO
ID: 38884876
Hi footech,

your script works like a charm :) I just changed one parameter to met my expiration date.

{$_.NotBefore -lt "7/20/2012"} => {$_.NotAfter -gt "1/1/2015"}

thanks for your help
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question