4

Windows 7 certificate store's default behavior includes storing all public keys you use from smartcards. This is sometimes undesirable as if some machine needs to use a lot of smartcards, the "Please select a certificate" popup becomes increasingly crowded.

Is there a way to configure Windows such that the public key associated with a smartcard would be automatically removed from the certificate store once the smartcard is removed?

Or alternatively, a way to stop Windows from storing smartcard certificates in the store in the first place?

pooispoois
  • 143
  • 1
  • 1
  • 5

2 Answers2

2

I don't know of a way to automatically remove such certificates, but you can clean them out by going to Control Panel -> Internet Options -> Content tab -> Certificates. Select the ones you want to get rid of, then click Remove.

Otherwise, you will need to write a utility that detects the smart-card insert event, then lists and remembers all certificates, and finally deletes them from the certificate store upon the smart-card removal event.

If you intend to go this way, besides the detailed documentation one can find on the Microsoft website, here are some references that can give you some understanding of the required programming :

How to enumerate all certificates on a smart card (PowerShell, but can be adapted to C/C##)
A Smart Card Framework for .NET
pcsc-sharp library

Glorfindel
  • 4,089
  • 8
  • 24
  • 37
harrymc
  • 455,459
  • 31
  • 526
  • 924
  • This sort of answers the question... I already knew, however, that I could develop a small utility for it. Just thought there could be a configuration/policy setting for it somewhere. In our company, employee custom developed code is always looked at with some suspicion. – pooispoois Jan 16 '14 at 15:32
  • Then they will also not let you modify Active Directory. Your own program can directly use a smart-card certificate, but normally a standard Web application will only consult the certificate store, so post-cleaning will be required. Perhaps something can be done for one particular type of Web applications, if you specify which is yours. – harrymc Jan 16 '14 at 16:01
  • The Web application only consults the certificate store. I can modify Active Directory, just not justify deploying a custom made program without huge hassle. Altering group policy settings, as well as configuring Active Directory and all kinds of settings are standard procedures, whereas applications are white-listed. – pooispoois Jan 16 '14 at 16:23
  • After thinking, Active Directory won't help, except for serving as alternate store. AFAIK, you are only left with a program or a script for cleaning-up the store. Are scripts also looked at with suspicion? – harrymc Jan 16 '14 at 16:44
  • I think a script would be allright. Do you think it would be possible to leverage the CryptoAPI on Powershell in order to achieve a similar result? – pooispoois Jan 16 '14 at 19:04
  • Or even a simple batch file using [certmgr](http://msdn.microsoft.com/en-us/library/e78byta0%28v=vs.110%29.aspx). Once you know what to search for, google is your friend. An example powershell resource [is here](http://blogs.technet.com/b/heyscriptingguy/archive/2007/11/19/hey-scripting-guy-how-can-i-tell-if-a-computer-has-a-smartcard-reader-attached.aspx). – harrymc Jan 16 '14 at 19:19
0

You can use following command for removing all smartcard-certificates in your store:

certutil -user -delstore my 1.3.6.1.4.1.311.20.2.2

Certificate of used smartcard will appear in certificate store, when you push in your smartcard to the reader.

For More details - check the 1.3.6.1.4.1.311.20.2.2 on your favorite search engine.

Ƭᴇcʜιᴇ007
  • 111,883
  • 19
  • 201
  • 268
Enkel
  • 1