How to clean up expired certs on your smart card

Hi all,

The other day a colleague of mine was trying to renew his smart card certificate, but he got an error telling him that there was not enough space in the card to store the new cert. So he asked me: Alex, how can I delete a certificate from my smart card so there is room for a new one? 

Well, admins generally have special tools for this task, but sometimes it may be necessary for an end/admin user to manually free up space on an smart card in order to enroll or renew certs. If you are in this situation, you may follow these steps:

1) Run the following command to get a list of certificates stored in the smart card:

certutil -scinfo > output.txt

Note: Certutil tool should be included on Windows Vista/Server 2008 by default. You may also get it from Windows Server 2003 Admin Pack, for instance.

Cerutil may request the smart card PIN several times. You can safely ignore these requests by pressing Esc every time. You will finally get a dialog with a list of certificates in the card (in my particular case I got 3 certs, and one of them had already expired). Now close that dialog and wait until certutil finishes running.

2) Take a look to output.txt. For example, in my case the first cert (“Certificate 0”) was the expired one (I could see strings like “Chain on smart card is invalid”, “CERT_TRUST_IS_NOT_TIME_VALID” and “Expired certificate”). Copy its related “Key Container” value (“f6138188-3725-4c2b-8cf6-9c421d8bee69” in my case).

3) Run the following command to remove the certificate associated to the key container you copied before:

certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "f6138188-3725-4c2b-8cf6-9c421d8bee69"

Note: your smart card CSP may be different. Use yours.

Now you should be able to store a new cert in the card.

I hope this helps.

Kind regards,

 

Alex (Alejandro Campos Magencio)