Powershell Remotely Delete PKI Certificates

Question

I recently rebuilt my PKI and I would like to delete the certificates that were issued to all client machines across my network. Sounds like a job for Powershell! So I wrote this script to be distributed by GPO, ran from SysVol, and triggered on client machines at startup:

set-location cert:\LocalMachine\My
$certname = $env:COMPUTERNAME + ".domain.com"
get-item * | %{
if($_.issuer -like "CN=IssuingCA*" -and $_.DnsNameList.unicode -like $certname) { remove-item .\$_.Thumbprint -Force }
}

From an elevated command prompt:

When Ran, the script gives no output (simply a new terminal line). It returns no errors and the Certificate is not deleted.
When the argument -WhatIf is added to the Remove-Item command in the script, again no errors and the Certificate is not deleted.
When Remove-Item .\CERTIFICATE-THUMBPRINT -Force is ran, the certificate is deleted.

Is this a permissions issue? Is there a smarter/simpler way to do this?

Thanks!

@BigHomie. Yes, I tried that. I seem to have removed that information in an edit... — Byron C., Jul 09 '14 at 15:38
In your conditional codeblock, add in a `write-host` to dump something on the screen if the conditional is true. I'm wondering if the script is evaluating as false (would explain the no error and no action). — Colyn1337, Jul 09 '14 at 16:10
@ByronC. What happens if the codeblock is just `Remove-Item -Force`? — Colyn1337, Jul 09 '14 at 16:23
Please try "remove-item "$(Get-Location)\$($_.Thumbprint)" -Force -WhatIf" — Bin, Jul 09 '14 at 17:05
Both suggestions simply end without deleting the cert. I have however found a 'Smarter/Simpler' way of doing it. Although I am still curious about the script.... — Byron C., Jul 09 '14 at 17:31

Colyn1337 · Accepted Answer · 2014-11-07T20:43:16.923

My answer is for the "Is there a smarter/simpler way to do this?" part of your question. This script was successful in removing a go daddy cert for me

$Path = 'Cert:\LocalMachine\AuthRoot\'
$CertList = @()

$CertList = Get-ChildItem -Path $Path | Where-Object {$_.Issuer -like "CN=GO*"}

foreach($Cert in $CertList){
    remove-item "$($Path)$($Cert.Thumbprint)" -Force -WhatIf
}

I added a -WhatIf so that this code wasn't dangerous for the "copy\paste\run" folx. Now, you'll need to adapt the $Path, Where-Object, and add the $certname variable, but the above template should have you going.

score 3 · Answer 2 · answered Jul 09 '14 at 17:41

Although I have not been able to solve the issue with the script, I was able to find a 'Smarter/Simpler' way to achieve my goal.

From the Certificate Authority:

Rt-Click Certificate Templates and select Manage
Rt-Click the Certificate Template you wish to replace and select Reenroll All Certificate Holders

This will increment the Version number of the template and network systems with auto-enroll will delete the old cert and enroll with the new cert.

Though this requires auto-enrollment for the specific template I am working with, a solution to the script posted would be a preferable answer.

Powershell Remotely Delete PKI Certificates

2 Answers2