If You’re Dealing With Certificates In Windows 10, It’s Inevitable That You’ll Eventually Need to Remove One – Here’s How To Do It
Digital certificates are all about creating trust, but what happens when that trust is broken? If something happens to the certificate – say it’s compromised or stolen by a malicious third party, or perhaps it simply expired – then it is no long useful. In fact, in can be downright dangerous depending on the situation.
If you have any suspicions that a certificate has been compromised, then you’ll want to distrust and remove the questionable certificate as soon as possible so you don’t leave yourself open to threats like man-in-the-middle attacks or malware deployment.
For the purpose of this article, we’re going to assume that you’re using today’s most widely-used desktop operating system – Windows 10. So, how does one remove certificates from Windows 10?
Let’s hash it out.
Managing Certificates in Windows 10
WARNING – Before we get into the specific steps for how to remove certificates from Windows 10, be aware of the problems that can arise from manually modifying certificates. In particular, be careful when dealing with root certificates, as messing around with them can cause serious and unexpected issues to occur. We recommend that you perform a backup before performing any of the steps below so that you’re protected in the event that something does go wrong.
Now that you know the risks, let’s get on to the steps to remove certificates from Windows 10.
We’ll be using Microsoft Management Console (MMC) to manage certificates on our Windows 10 machine. MMC lets you view three different types of certificate stores, all with a different scope:
Local computer – shows all certificates for all users on the device
Current user – only for certificates relating to the current user account on the device
Service account – only for certificates relating to a specific service on the device
Regardless of which certificate store you want to view, the setup steps are the same:
Launch MMC by clicking the Windows icon on the taskbar and searching for “MMC”. You should see a toolbox icon with the text “mmc” below it – click it to open MMC.
2. Next, you’ll want to add the certificate “snap-in” to MMC, which will allow us to ultimately remove certificates from Windows 10. The snap-ins are basically different toolsets that allow for various functionalities within MMC. Find “Certificates” on the left column. Click on it to select it, then click “Add” to move it to the right column. Then, click “OK” to continue.
3. After hitting “Add”, you’ll have to decide the scope of the certificates you’ll be managing with MMC, which we touched on earlier. Choose “Computer account” to view certificates for all users on this machine and then hit “Next”.
4. On the next window, select “Local computer”, as seen below:
5. Hit “Finish”, and then hit “OK” to close the snap-in manager screen. You should then see a list of certificates on your local machine displayed in the left-hand column of MMC:
6. Now, you need to find the certificate that you want to remove. For the purpose of this exercise, let’s say you want to remove the “DST Root CA X3” root certificate, since it is expiring on September 30, 2021 anyway (you can read more about this specific root certificate here).
7. You’ll want to use the folder list on the left side to locate the certificate in question. It should be listed under “Third-Party Root Certification Authorities”:
8. Find the “DST Root CA X3” certificate and right-click on it. Click “Properties”. Then, in the “General” tab, you should see a section called “Certificate purposes”. Select the radio button that says “Disable all purposes for this certificate” and then click “Apply”.
9. Re-start your machine, and then you’re done!
The same process can be repeated regardless of the certificate type in order to remove certificates from Windows 10. It doesn’t matter if we’re talking about a root certificate, a device certificate, a certificate used for VPN logins, etc. If the certificate is visible to your machine, then MMC with the Certificate snap-in should be able to help you achieve your end-goal.
How to Best Manage Your Certificates
As you can see from the screenshots above, there are quite a few certificates listed in MMC. In fact, the certificates you see listed are the default certificates that come with a standard installation of Windows 10. If you are an organization that’s using digital certificates across your various networks, then the number of certificates listed will be much higher.
If you only want to remove certificates from Windows 10, and don’t have many to deal with, then this manual method of certificate management can work. However, we highly recommend certificate management platforms such as DigiCert CertCentral or Sectigo Certificate Manager for any company that’s handling more than just a handful of certificates. Not only will certificate management platforms like these help you save time and money by automating common tasks, they will help you avoid human errors that can open you up to the threat of data breaches.