How would I remove all self-signed certificates from all user's Personal Certificate Store?

%3CLINGO-SUB%20id%3D%22lingo-sub-304697%22%20slang%3D%22en-US%22%3EHow%20would%20I%20remove%20all%20self-signed%20certificates%20from%20all%20user's%20Personal%20Certificate%20Store%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-304697%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20around%2080%20users%20with%20a%20self-signed%20e-mail%20signing%20certificate%20generated%20via%20Group%20Policy%20from%20our%20internal%20CA%20(A%20Windows%202012%20DC).%3CBR%20%2F%3EHaving%20recently%20changed%20to%20using%20a%20GlobalCA%20for%20e-mail%20signing%2C%20we%20wish%20to%20remove%20all%20those%20self-signed%20certs.%3CBR%20%2F%3ENow%2C%20I%20mistakenly%20thought%20this%20would%20be%20an%20easy%20case%20of%20revoking%20the%20certs%20and%20allowing%20GP%20to%20remove%20revoked%20certs%20-%20unfortunately%20this%20had%20the%20effect%20of%20stopping%20people%20from%20accessing%20old%20%22Sent%20Items%22%20they'd%20signed%20with%20this%20self-signed%20cert%20and%20recipients%20from%20reading%20e-mails%20sent%20using%20this%20self-signed%20cert%20-%20the%20damage%20has%20been%20done%20and%20we've%20managed%20to%20resolve%20this%2C%20however%2C%20we%20still%20have%20a%20GP%20running%20that%20requests%20a%20self-signed%20cert%20and%20because%20we%20are%20no%20longer%20using%20this%20to%20sign%20e-mails%2C%20we%20need%20to%20remove%20these%20self-signed%20certs%20from%20their%20Personal%20Certificate%20Store.%20Naturally%20a%20scripted%20solution%20would%20be%20best%20(Powershell)%20but%20how%20do%20I%20go%20about%20this%3F%20Is%20there%20something%20common%20I%20can%20search%20for%20e.g.%20the%20Issuer%20CN%20%3F%3CBR%20%2F%3EAny%20help%20with%20this%20script%20would%20be%20gratefully%20received%20-%20I'd%20need%20to%20run%20this%20on%20around%2080%20machines.%3CBR%20%2F%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

We have around 80 users with a self-signed e-mail signing certificate generated via Group Policy from our internal CA (A Windows 2012 DC).
Having recently changed to using a GlobalCA for e-mail signing, we wish to remove all those self-signed certs.
Now, I mistakenly thought this would be an easy case of revoking the certs and allowing GP to remove revoked certs - unfortunately this had the effect of stopping people from accessing old "Sent Items" they'd signed with this self-signed cert and recipients from reading e-mails sent using this self-signed cert - the damage has been done and we've managed to resolve this, however, we still have a GP running that requests a self-signed cert and because we are no longer using this to sign e-mails, we need to remove these self-signed certs from their Personal Certificate Store. Naturally a scripted solution would be best (Powershell) but how do I go about this? Is there something common I can search for e.g. the Issuer CN ?
Any help with this script would be gratefully received - I'd need to run this on around 80 machines.
Thanks

0 Replies