Deleting a Certificate and Keys using Certutil

To delete a credential (certificate and keys) stored on the PIVKey, use a utility, such as vSEC_CMS, or Certutil, the certificate utility included with Microsoft Windows.  The PIVKey minidriver must be installed to load or delete certificates from the PIVKey (without the PIVKey minidriver, the PIVKey will be read-only).  

Deleting a certificate with certutil requires running certutil with administrator rights (or from an elevated command prompt) and requires the exact container name of the credential to delete. This information can be found by opening an elevated command prompt and running certutil with the following options:

certutil -scinfo


certutil -key -csp "Microsoft Base Smart Card Crypto Provider"

Make sure to identify the correct container name. 
Note: the name of the container may contain the certificate template name. 


To delete the container and its associated certificate, run:

certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" [container-name in quotes]


In this example, the container that is deleted is the default PIVKey Credential for a PIVKey C910 card.

Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk