Removing Certificates With Powershell



Scenario: During an AD migration I needed to remove all of the certificates from a migrated user’s local store which had been issued by the old domain’s CA. Not simply for housekeeping reasons but because the new domain makes use of credential roaming and we didn’t want a load of old certificates taking up space in AD for no reason.

The following code will remove all certificates issued by from the Personal (My) store of the currently logged in user. If you wanted to narrow the criteria you can also filter on any of: Subject, Issuer, Thumbprint, FriendlyName, NotBefore, NotAfter or Extensions. You can also target different containers and switch between User (CurrentUser) and Machine (LocalMachine) certificate stores. As far as I’m aware there’s no way to do this for a user that isn’t currently logged in.

$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","Currentuser")
$store.Open("MaxAllowed")
$certs = $store.certificates | ?{$_.Issuer -eq "CN=My Issuing CA 1, DC=my, DC=domain"}
$certs | %{$store.remove($_)}
$Store.close()

See also https://www.angryadmin.co.uk/?p=600

3 Replies to “Removing Certificates With Powershell”

  1. My local users do not have admin permissions therefore they are not able to delete certificate from the user or localmachine stores.

    I would like to aupmate but use Admin credentials when the script needs it. Thanks

    1. You shouldn’t need admin rights to to modify the User store but in terms of the Machine store I’m not aware of any way to provide credentials to the certificate interface via Powershell so you’d have to execute the script as an admin account to do it.

Leave a Reply

Your email address will not be published. Required fields are marked *