Home

How would I remove all self-signed certificates from all user's Personal Certificate Store?

%3CLINGO-SUB%20id%3D%22lingo-sub-304697%22%20slang%3D%22en-US%22%3EHow%20would%20I%20remove%20all%20self-signed%20certificates%20from%20all%20user's%20Personal%20Certificate%20Store%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-304697%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20around%2080%20users%20with%20a%20self-signed%20e-mail%20signing%20certificate%20generated%20via%20Group%20Policy%20from%20our%20internal%20CA%20(A%20Windows%202012%20DC).%3CBR%20%2F%3EHaving%20recently%20changed%20to%20using%20a%20GlobalCA%20for%20e-mail%20signing%2C%20we%20wish%20to%20remove%20all%20those%20self-signed%20certs.%3CBR%20%2F%3ENow%2C%20I%20mistakenly%20thought%20this%20would%20be%20an%20easy%20case%20of%20revoking%20the%20certs%20and%20allowing%20GP%20to%20remove%20revoked%20certs%20-%20unfortunately%20this%20had%20the%20effect%20of%20stopping%20people%20from%20accessing%20old%20%22Sent%20Items%22%20they'd%20signed%20with%20this%20self-signed%20cert%20and%20recipients%20from%20reading%20e-mails%20sent%20using%20this%20self-signed%20cert%20-%20the%20damage%20has%20been%20done%20and%20we've%20managed%20to%20resolve%20this%2C%20however%2C%20we%20still%20have%20a%20GP%20running%20that%20requests%20a%20self-signed%20cert%20and%20because%20we%20are%20no%20longer%20using%20this%20to%20sign%20e-mails%2C%20we%20need%20to%20remove%20these%20self-signed%20certs%20from%20their%20Personal%20Certificate%20Store.%20Naturally%20a%20scripted%20solution%20would%20be%20best%20(Powershell)%20but%20how%20do%20I%20go%20about%20this%3F%20Is%20there%20something%20common%20I%20can%20search%20for%20e.g.%20the%20Issuer%20CN%20%3F%3CBR%20%2F%3EAny%20help%20with%20this%20script%20would%20be%20gratefully%20received%20-%20I'd%20need%20to%20run%20this%20on%20around%2080%20machines.%3CBR%20%2F%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Tim_Furlong
Occasional Visitor

We have around 80 users with a self-signed e-mail signing certificate generated via Group Policy from our internal CA (A Windows 2012 DC).
Having recently changed to using a GlobalCA for e-mail signing, we wish to remove all those self-signed certs.
Now, I mistakenly thought this would be an easy case of revoking the certs and allowing GP to remove revoked certs - unfortunately this had the effect of stopping people from accessing old "Sent Items" they'd signed with this self-signed cert and recipients from reading e-mails sent using this self-signed cert - the damage has been done and we've managed to resolve this, however, we still have a GP running that requests a self-signed cert and because we are no longer using this to sign e-mails, we need to remove these self-signed certs from their Personal Certificate Store. Naturally a scripted solution would be best (Powershell) but how do I go about this? Is there something common I can search for e.g. the Issuer CN ?
Any help with this script would be gratefully received - I'd need to run this on around 80 machines.
Thanks

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies