Skip to content

Deleting Unwanted Certificate Stores From Windows

January 22, 2011

I was recently experimenting with creating certificates for Windows using the makecert.exe tool.  I discovered that after creating a few certificate stores I didn’t intend to keep, there was no obvious way to delete them.  Certificates can be easily deleted by using the certificates snap-in for the Microsoft Management Console, but for some reason this tool doesn’t delete stores.

This blog explains a way to remove the stores programmatically.  I figured there must be an easier way, so on a hunch I looked for my store names in the registry–if so, then deleting their registry entry may be enough to remove them.  Sure enough, using regedit to search for keys matching my store name revealed several entries scattered around.  Depending on how created (assume the store name is MyStore), it may land in any or all of several paths such as:

HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\MyStore
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\MyStore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\MyStore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MyStore
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\MyStore
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\EnterpriseCertificates\MyStore
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\MyStore
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\SystemCertificates\MyStore
HKEY_USERS\S-1-5-21-124525095-708259637-1543119021-997773\Software\Microsoft\SystemCertificates\MyStore
HKEY_USERS\S-1-5-21-124525095-708259637-1543119021-997773\Software\Policies\Microsoft\SystemCertificates\MyStore

The workings of the registry are a mystery to me, and I never know if it’s safe to tamper with, but since I never intended to use the stores from my experiments, I figured it would be OK to just delete every entry.  First I backed up the registry (just in case), then deleted each of the registry entries.  And viola, refreshing the view in MMC revealed the stores were now gone.  Assuming that deleting certificate stores is not a regular occurrence, searching and deleting in regedit is a simpler (and faster) approach than writing a program.

By the way, if you find yourself in need of creating a certificate using makecert.exe, the same blog mentioned above has one of the best descriptions I’ve found on how to use it.

It doesn’t mention one gotcha I discovered by trial and error:  without specifying an -sk option, it created the key using some default key container, and attempting to export key parameters in .NET code (using ExportParameters() or ExportCspBlob()) throws an exception–apparently the key container will not allow it.  After recreating the certificate while providing a name to the -sk option, I was able to successfully export the key in .NET code (it will create the key container if it does not exist).  One other tip:  if you don’t need an authority to sign an exchange certificate, you can use -r to self-sign it.

4 Comments leave one →
  1. Tatiana permalink
    February 25, 2011 7:38 AM

    I like this article. Right to the point. Thank you!
    May be you can clarify one mystery for me?
    For example, there is a private certificate in Local Machine/Personal folder – MyPrivateCert.
    There is a corresponding file in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. And there is a corresponding key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys.
    After removing MyPrivateCert in MMC, the private key is not deleted from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys. And it creates potential problems.
    Why it happens?
    Thank you,

    Tatiana

    • sbanacho permalink*
      July 2, 2012 1:39 PM

      I don’t know why Windows does not remove the corresponding key and registry entry. Maybe removal was never properly implemented. Or perhaps removing via MMC is not the “correct” way; but if not, I don’t what is.

Trackbacks

  1. Delete A Certificate Store | Sladescross's Blog

Leave a Reply

Your email address will not be published. Required fields are marked *