Scenario: During an AD migration I needed to remove all of the certificates from a migrated user’s local store which had been issued by the old domain’s CA. Not simply for housekeeping reasons but because the new domain makes use of credential roaming and we didn’t want a load of old certificates taking up space in AD for no reason.
The following code will remove all certificates issued by from the Personal (My) store of the currently logged in user. If you wanted to narrow the criteria you can also filter on any of: Subject, Issuer, Thumbprint, FriendlyName, NotBefore, NotAfter or Extensions. You can also target different containers and switch between User (CurrentUser) and Machine (LocalMachine) certificate stores. As far as I’m aware there’s no way to do this for a user that isn’t currently logged in.
$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","Currentuser") $store.Open("MaxAllowed") $certs = $store.certificates | ?{$_.Issuer -eq "CN=My Issuing CA 1, DC=my, DC=domain"} $certs | %{$store.remove($_)} $Store.close() |
See also https://www.angryadmin.co.uk/?p=600