PowerShell commands to delete personal certificates

Question

I came across a great post from the old TechNet and ran into an issue that is similar to it (listed below)

https://social.technet.microsoft.com/Forums/en-US/2e472d2e-98d3-4621-bfb2-be18733ad412/script-to-remove-a-local-certificate-possible?forum=winserverpowershell

I am trying to use PowerShell to delete personal certificates other than the ones belonging to the primary user of the computer. Our HR folks deal with this constantly and am looking to provide them a simple script of sorts to simply double-click and wash away all the other user certificates not their own. The one I saw targeted specifically certificates within certificate manager that were issued by however. What code or commands do I use to target deletion of certificates Issued To?

Answer 1

Hi,

You can filter with the "Subject" property like this

$user="test user"  
Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Subject -match $user} | Remove-Item  

Best Regards,
Ian Xue

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hello IanXue-MSFT,
Thank you for your reply, please bare with me as my experience in scripts and coding are very lacking. I realized after posting I need to save more than one certificate. I also ran the code you provided, but it deleted the certificates I set, it not did not keep them. Bad example, say I have twenty certificates in my store within Certificates - CurrentUser\Personal\Certificates. Of those twenty certificates, I want to keep five of them and delete the remaining certificates. How do I modify the code to not touch those five certificates, but delete the other 15? Those five certificates will be constant, I need to keep them at all times, the remaining certificates (which are always going to be different) so I just need the code to look for those five certificates, removing all others.

Answer 3

Hi，

If the certificate is to be retained or not is determined by "Issued To" you can try something like this

$users = "user1","user2","user3","user4","user5"  
Get-ChildItem Cert:\CurrentUser\My | ForEach-Object {  
    $ifkeep = $false  
    foreach($user in $users){  
        if($_.Subject -match $user){  
            $ifkeep = $true  
            break  
        }  
    }  
    if($ifkeep -eq $false){  
        Remove-Item $_  
    }  
}  

Best Regards,
Ian Xue

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.