Does certutil -delkey actually delete the certificate and private key?



  • I am trying to delete a certificate and it's private key using certutil -csp "Microsoft Enhanced Cryptographic Provider v1.0" -delkey "the key container". This gave me a command completed successfully message. I then check what is in the store again with certutil -store, this still lists the certificate. When i then try to delete again, it gives me KeySet does not exists. Can someone explain what the -delkey option and why it still appears in the output?


  • QA Engineer

    certutil is one of the less-well-documented commands I know of. However, both by considering the existence of the -delstore command ("Delete certificate from store") and considering what a key container is probably doing, my best guess is that the command deleted the private key storage (and, presumably, any private keys it contained) but did not delete the corresponding certificate(s).

    Does the certificate in question have an associated private key known to the system? You can find this at the bottom of the text output, somewhat indirectly - it'll say "Cannot find the certificate and private key for decryption" or similar if not - or you can use the certmgr.msc graphical tool to view installed certificates and ones with a private key will display this on their icon, plus have the text "You have a private key that corresponds to this certificate" in the General tab of the certificate info window. If it didn't now, did it have one before?



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2