Skip to content

Deleting Unwanted Certificate Stores From Windows

January 22, 2011

I was recently experimenting with creating certificates for Windows using the makecert.exe tool.  I discovered that after creating a few certificate stores I didn’t intend to keep, there was no obvious way to delete them.  Certificates can be easily deleted by using the certificates snap-in for the Microsoft Management Console, but for some reason this tool doesn’t delete stores.

This blog explains a way to remove the stores programmatically.  I figured there must be an easier way, so on a hunch I looked for my store names in the registry–if so, then deleting their registry entry may be enough to remove them.  Sure enough, using regedit to search for keys matching my store name revealed several entries scattered around.  Depending on how created (assume the store name is MyStore), it may land in any or all of several paths such as:


The workings of the registry are a mystery to me, and I never know if it’s safe to tamper with, but since I never intended to use the stores from my experiments, I figured it would be OK to just delete every entry.  First I backed up the registry (just in case), then deleted each of the registry entries.  And viola, refreshing the view in MMC revealed the stores were now gone.  Assuming that deleting certificate stores is not a regular occurrence, searching and deleting in regedit is a simpler (and faster) approach than writing a program.

By the way, if you find yourself in need of creating a certificate using makecert.exe, the same blog mentioned above has one of the best descriptions I’ve found on how to use it.

It doesn’t mention one gotcha I discovered by trial and error:  without specifying an -sk option, it created the key using some default key container, and attempting to export key parameters in .NET code (using ExportParameters() or ExportCspBlob()) throws an exception–apparently the key container will not allow it.  After recreating the certificate while providing a name to the -sk option, I was able to successfully export the key in .NET code (it will create the key container if it does not exist).  One other tip:  if you don’t need an authority to sign an exchange certificate, you can use -r to self-sign it.

12 Comments leave one →
  1. Tatiana permalink
    February 25, 2011 7:38 AM

    I like this article. Right to the point. Thank you!
    May be you can clarify one mystery for me?
    For example, there is a private certificate in Local Machine/Personal folder – MyPrivateCert.
    There is a corresponding file in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. And there is a corresponding key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys.
    After removing MyPrivateCert in MMC, the private key is not deleted from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys. And it creates potential problems.
    Why it happens?
    Thank you,


    • sbanacho permalink*
      July 2, 2012 1:39 PM

      I don’t know why Windows does not remove the corresponding key and registry entry. Maybe removal was never properly implemented. Or perhaps removing via MMC is not the “correct” way; but if not, I don’t what is.

  2. briceorbryce permalink
    November 27, 2017 10:54 PM

    Here we are in 2017 and you helped save my life a bit. ThanksThanks
    I guess they don’t want you accidentally removing important certifications, like Windows Update or whatnot hehe.

  3. September 18, 2020 1:09 PM

    I used to be suggested this blog by means of my cousin. I am not
    sure whether this submit is written by means of him
    as no one else recognise such targeted about my problem.
    You are incredible! Thank you!

  4. October 20, 2020 6:51 PM

    What’s up to all, because I am truly keen of reading this
    website’s post to be updated regularly. It carries nice data.

  5. October 25, 2020 1:03 PM

    Hi thеre jᥙst wаnted to giᴠе you Opravy Podlah A Jejich Renovace quick hewads ᥙp.

    Tһe worԀs inn yoiur post ѕeem to bе running off the screen in Ie.

    I’m not ѕure if this is a formatting issue or somethibg to ԁ᧐ witth browser compatibility Ьut I figured І’d post tοo let yoou knoѡ.
    The design and style ⅼo᧐k grеat though! Hope
    you get tһe ⲣroblem fixed soon. Kudos

  6. October 25, 2020 10:05 PM

    I am in fact delighted to glance at this blog posts which consists of plenty of helpful
    data, thanks for providing such information.

  7. November 4, 2020 6:05 PM

    I know this website presents quality dependent content and additional
    information, is there any other site which offers these kinds of stuff in quality?

  8. November 9, 2020 5:51 PM

    Why does Windows create copies of certificates and place them in different certificate stores for no reason automatically?

    I understand that some certificates are needed in other certificate stores based on their usage like a cert in the ‘Personal’ store and in the ‘Trusted Root’ store.
    That makes sense.

    Why on my server, do I have a duplicate domain certificate both in the same ‘Trusted Root’
    certificate store? 1 cert has a private key and the other does not. They both have the same serial and thumbprints.

    Would it be safe to delete the duplicate copy of the certificate that doesn’t have the ‘private key’ attached?

  9. November 11, 2020 4:05 AM

    It does not take a whole day to attend a massage session and you can schedule your appointments yourself, making it possible to
    fit it even into the busiest day. With the help of these oils,
    an individual will feel more relax during
    a massage. It is also essential to get to the habit
    of working out to take care of muscle strength which will help prevent obesity.


  1. Delete A Certificate Store | Sladescross's Blog

Leave a Reply

Your email address will not be published. Required fields are marked *