1

I am trying to delete a certificate and it's private key using certutil -csp "Microsoft Enhanced Cryptographic Provider v1.0" -delkey "the key container". This gave me a command completed successfully message. I then check what is in the store again with certutil -store, this still lists the certificate. When i then try to delete again, it gives me KeySet does not exists. Can someone explain what the -delkey option and why it still appears in the output?

lee23
  • 131
  • 2
  • Certificates can have a private key asociated with them. Looks like the `-delkey` only removes the private key associated to that certificate. If you want to also delete the certificate you should use the `-delstore` parameter as CBHacking comments in his/her answer. – bradbury9 Apr 21 '21 at 12:36
  • Running `certutil -uSAGE` shows it is available as `-delkey -- Delete named key container`. Then `certutil -delkey -?` shows sparse info. – garethTheRed May 10 '21 at 09:44

2 Answers2

0

certutil is one of the less-well-documented commands I know of. However, both by considering the existence of the -delstore command ("Delete certificate from store") and considering what a key container is probably doing, my best guess is that the command deleted the private key storage (and, presumably, any private keys it contained) but did not delete the corresponding certificate(s).

Does the certificate in question have an associated private key known to the system? You can find this at the bottom of the text output, somewhat indirectly - it'll say "Cannot find the certificate and private key for decryption" or similar if not - or you can use the certmgr.msc graphical tool to view installed certificates and ones with a private key will display this on their icon, plus have the text "You have a private key that corresponds to this certificate" in the General tab of the certificate info window. If it didn't now, did it have one before?

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • There documentation is pretty poor indeed, but you can add a link to the [certutil doc](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil) – bradbury9 Apr 21 '21 at 12:38
  • yeah ok, it must be that I need to delete the key, then delete the certificate. Strangely the delkey option is not document on that Microsoft page. – lee23 Apr 22 '21 at 04:21
0

From TechNet:

... At first, you delete the key and only then remove certificate from certificate store.

As bradbury9 mentioned already in the comments, you can get the documentation of -delkey by issuing certutil -delkey -?. It will only delete the key, not the certificate. Procedure to delete both:

# Get the certificate, e. g. by serial number
$cert = Get-ChildItem -Path Cert:\ -Recurse | Where-Object {$_.SerialNumber -eq '<SERIAL_NUMBER>'}

# Get the associated key container name
$kcn = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

# Delete the key
CertUtil.exe -delkey $kcn

# Delete the certificate
$cert | Remove-Item
stackprotector
  • 1,621
  • 3
  • 6
  • 15