Freigeben über

How to clean up expired certs on your smart card

  • Artikel

Hi all,

The other day a colleague of mine was trying to renew his smart card certificate, but he got an error telling him that there was not enough space in the card to store the new cert. So he asked me: Alex, how can I delete a certificate from my smart card so there is room for a new one? 

Well, admins generally have special tools for this task, but sometimes it may be necessary for an end/admin user to manually free up space on an smart card in order to enroll or renew certs. If you are in this situation, you may follow these steps:

1) Run the following command to get a list of certificates stored in the smart card:

certutil -scinfo > output.txt

Note: Certutil tool should be included on Windows Vista/Server 2008 by default. You may also get it from Windows Server 2003 Admin Pack, for instance.

Cerutil may request the smart card PIN several times. You can safely ignore these requests by pressing Esc every time. You will finally get a dialog with a list of certificates in the card (in my particular case I got 3 certs, and one of them had already expired). Now close that dialog and wait until certutil finishes running.

2) Take a look to output.txt. For example, in my case the first cert (“Certificate 0”) was the expired one (I could see strings like “Chain on smart card is invalid”, “CERT_TRUST_IS_NOT_TIME_VALID” and “Expired certificate”). Copy its related “Key Container” value (“f6138188-3725-4c2b-8cf6-9c421d8bee69” in my case).

3) Run the following command to remove the certificate associated to the key container you copied before:

certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "f6138188-3725-4c2b-8cf6-9c421d8bee69"

Note: your smart card CSP may be different. Use yours.

Now you should be able to store a new cert in the card.

I hope this helps.

Kind regards,

 

Alex (Alejandro Campos Magencio)

Comments

  • Anonymous
    May 14, 2010
    Thanks for the post, it helped me take care of the issue, I am a MSFT employee.Some things which are not mentioned above.Where to find the 'output.txt'?For me running Windows 7, it was under "C:Usersjohndoe", where 'johndoe' is the username of user currently logged on. I am also a local Administrator on my machine. I used the Search feature in operating system to find the file.When I ran the certutil -delkey command to actually delete a certificate, I got the following error msg:Microsoft Windows [Version 6.1.7600]Copyright (c) 2009 Microsoft Corporation.  All rights reserved.C:Usersjohndoe>certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "b4123456-1b9e-4f70-123e-39b12345f2fc"Administrator permissions are needed to use the selected options.  Use an administrator command prompt to complete these tasks.CertUtil: The requested operation requires elevation.So I had to use the first way described in the blog post below to launch an elevated or Administrator Command Prompt. (Windows : Start : All Programs : Accessories : Command Prompt : Right click on it : Choose 'Run as Administrator, a new window will pop up with title: Administrator: Command Prompt)http://www.blogsdna.com/2168/windows-7-how-to-open-elevated-command-prompt-with-administrator-privileges.htmI then typed the above certutil -delkey command there and it prompted me to enter PIN for my smart card. I cancelled it and the following error appeared in command prompt window.Microsoft Windows [Version 6.1.7600]Copyright (c) 2009 Microsoft Corporation.  All rights reserved.C:Windowssystem32>certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "b4123456-1b9e-4f70-123e-39b12345f2fc"CertUtil: -delkey command FAILED: 0x8010006e (-2146434962)CertUtil: The action was cancelled by the user.So I tried it again and this time I entered my smart card PIN and it worked as expected, that certificate was gone. I got the following msg as confirmation.CertUtil: -delkey command completed successfully.BTW, you can look at all your certificates in Smart Card usign certmgr.msc (Certificate Manager Console), go to Start : Run : type there 'certmgr.msc', hit Enter, you will get the console. In there, expand 'Certificates Current User : Personal : Certificates' container to see all your certificates on your smart card. Make sure to Refresh the container to get a current list (that's right click on Certificates container and choose Refresh).
  • Anonymous
    July 09, 2015
    You can also run the command without admin right by using the -user switch. The command would look like this: certutil -delkey -user -csp "Microsoft Base Smart Card Crypto Provider" "b4123456-1b9e-4f70-123e-39b12345f2fc"