How would I remove all self-signed certificates from all user's Personal Certificate Store?

Occasional Visitor

We have around 80 users with a self-signed e-mail signing certificate generated via Group Policy from our internal CA (A Windows 2012 DC).
Having recently changed to using a GlobalCA for e-mail signing, we wish to remove all those self-signed certs.
Now, I mistakenly thought this would be an easy case of revoking the certs and allowing GP to remove revoked certs - unfortunately this had the effect of stopping people from accessing old "Sent Items" they'd signed with this self-signed cert and recipients from reading e-mails sent using this self-signed cert - the damage has been done and we've managed to resolve this, however, we still have a GP running that requests a self-signed cert and because we are no longer using this to sign e-mails, we need to remove these self-signed certs from their Personal Certificate Store. Naturally a scripted solution would be best (Powershell) but how do I go about this? Is there something common I can search for e.g. the Issuer CN ?
Any help with this script would be gratefully received - I'd need to run this on around 80 machines.

0 Replies