Skip to content

Microsoft Server: Remotely delete certificate for users

So you want to delete a user's certificate? "But it's so cumbersome!" you say? Rubbish, I answer! It actually is pretty much a one liner, depending on your screen resolution of course... As I could not find a useful and simple script doing what I wanted on the entire internet (i.e. the first two pages of my Google results) I whipped out the old Powershell and started typing. The result may be used by you in whatever way you deem fit.
If you are asking yourselves "But why???", let me explain: Maybe you don't want to automatically enroll all your domain users for a user certificate, and instead only issue certificates for a select few. So, what happens, if the user account is deactivated and removed? The certificate remains. We don't want that! So we have to log on to our CA server, and meticulously delete each certificate.

All you need is a Powershell and sufficient rights to connect to the CA-server in your enterprise structure. So, let's begin.

#Read username and remote host
$username = read-host -Prompt "Please enter the user's name"
$remotehost = read-host -Prompt "Please enter the remote host's hostname"

Pretty basic so far. Enter a user's credentials used in the certificate you want to remove, according to your companies certificate structure. We continue with our remote connection:

#Initiate PSSession to read certificates
Invoke-Command -ComputerName $remotehost -ScriptBlock{

This actually invokes the commands specified in our ScriptBlock on the remote system and returns every stream to the invoking system. Pretty neat, and a great improvement over good ol' PSExec.

#Get LocalMachine-Certificate and store
$cert = Get-ChildItem -recurse Cert:\LocalMachine | ? {$_.Subject -like "*$username*"}
$temp = certutil -store $cert.PSParentPath -split("\\")
$serialnumber = $cert.Serialnumber
$certstore = $temp[$temp.Length -1]

As you can see, the certificate store of each machine is actually a mappable folder structure. You can navigate the CAs stores like you navigate your file system on the command line. So, what you actually do is: enumerate all members recursively and filter by your user's name as displayed in the certificate's subject. You can enter the CN or whatever your subject is in your enterprise structure.
To use certutil and delete the certificate we need the certificate store. To do this, I split the certificates parent folder and extract the store string. Additionally the serial number is extracted from the certificate, because it will also be used by certutil to identify the certificate.

#Print info and prompt user to delete or abort
write-host "The following certificate will be deleted:\r\n"

switch(read-host -Prompt "Press y to continue or n to abort.")
y {certutil -delstore $certstore; write-host "Certificate with serial number $serialnumber succesfully deleted!" }
n {break;}
default {break;}

Of course you would like to be asked, if this is indeed the correct certificate, wouldn't you? I know you would. After the user's confirmation, certutil is called with the switch -deletestore, which deletes the specified certificate from the specified store.



Keine Trackbacks


Ansicht der Kommentare: Linear | Verschachtelt

Noch keine Kommentare

Die Kommentarfunktion wurde vom Besitzer dieses Blogs in diesem Eintrag deaktiviert.

Kommentar schreiben

Umschließende Sterne heben ein Wort hervor (*wort*), per _wort_ kann ein Wort unterstrichen werden.
Standard-Text Smilies wie :-) und ;-) werden zu Bildern konvertiert.