If You’re Dealing With Certificates In Windows 10, It’s Inevitable That You’ll Eventually Need to Remove One – Here’s How To Do It

Digital certificates are all about creating trust, but what happens when that trust is broken? If something happens to the certificate – say it’s compromised or stolen by a malicious third party, or perhaps it simply expired – then it is no long useful. In fact, in can be downright dangerous depending on the situation.

If you have any suspicions that a certificate has been compromised, then you’ll want to distrust and remove the questionable certificate as soon as possible so you don’t leave yourself open to threats like man-in-the-middle attacks or malware deployment.

For the purpose of this article, we’re going to assume that you’re using today’s most widely-used desktop operating system – Windows 10. So, how does one remove certificates from Windows 10?

Let’s hash it out.

Managing Certificates in Windows 10

WARNING – Before we get into the specific steps for how to remove certificates from Windows 10, be aware of the problems that can arise from manually modifying certificates. In particular, be careful when dealing with root certificates, as messing around with them can cause serious and unexpected issues to occur. We recommend that you perform a backup before performing any of the steps below so that you’re protected in the event that something does go wrong.

Now that you know the risks, let’s get on to the steps to remove certificates from Windows 10.

We’ll be using Microsoft Management Console (MMC) to manage certificates on our Windows 10 machine. MMC lets you view three different types of certificate stores, all with a different scope:

  • Local computer – shows all certificates for all users on the device
  • Current user – only for certificates relating to the current user account on the device
  • Service account – only for certificates relating to a specific service on the device

Regardless of which certificate store you want to view, the setup steps are the same:

  1. Launch MMC by clicking the Windows icon on the taskbar and searching for “MMC”. You should see a toolbox icon with the text “mmc” below it – click it to open MMC.
MMC upon launch
MMC upon launch.

2. Next, you’ll want to add the certificate “snap-in” to MMC, which will allow us to ultimately remove certificates from Windows 10. The snap-ins are basically different toolsets that allow for various functionalities within MMC. Find “Certificates” on the left column. Click on it to select it, then click “Add” to move it to the right column. Then, click “OK” to continue.

configuring MMC for certificates
Configuring MMC for certificate management.

3. After hitting “Add”, you’ll have to decide the scope of the certificates you’ll be managing with MMC, which we touched on earlier. Choose “Computer account” to view certificates for all users on this machine and then hit “Next”.

picking which certificate stores you want to manage with mmc
Select which certificates you want to manage.

4. On the next window, select “Local computer”, as seen below:

configuring MMC to remove certificates from Windows 10
Usually, you will only want to manage certificates for your local machine.

5. Hit “Finish”, and then hit “OK” to close the snap-in manager screen. You should then see a list of certificates on your local machine displayed in the left-hand column of MMC:

configuring MMC to remove certificates from windows 10
MMC configured for certificate management.

6. Now, you need to find the certificate that you want to remove. For the purpose of this exercise, let’s say you want to remove the “DST Root CA X3” root certificate, since it is expiring on September 30, 2021 anyway (you can read more about this specific root certificate here).

7. You’ll want to use the folder list on the left side to locate the certificate in question. It should be listed under “Third-Party Root Certification Authorities”:

using MMC to remove certificates from Windows 10
Finding a specific certificate within MMC.

8. Find the “DST Root CA X3” certificate and right-click on it. Click “Properties”. Then, in the “General” tab, you should see a section called “Certificate purposes”. Select the radio button that says “Disable all purposes for this certificate” and then click “Apply”.

9. Re-start your machine, and then you’re done!

The same process can be repeated regardless of the certificate type in order to remove certificates from Windows 10. It doesn’t matter if we’re talking about a root certificate, a device certificate, a certificate used for VPN logins, etc. If the certificate is visible to your machine, then MMC with the Certificate snap-in should be able to help you achieve your end-goal.

How to Best Manage Your Certificates

As you can see from the screenshots above, there are quite a few certificates listed in MMC. In fact, the certificates you see listed are the default certificates that come with a standard installation of Windows 10. If you are an organization that’s using digital certificates across your various networks, then the number of certificates listed will be much higher.

If you only want to remove certificates from Windows 10, and don’t have many to deal with, then this manual method of certificate management can work. However, we highly recommend certificate management platforms such as DigiCert CertCentral or Sectigo Certificate Manager for any company that’s handling more than just a handful of certificates. Not only will certificate management platforms like these help you save time and money by automating common tasks, they will help you avoid human errors that can open you up to the threat of data breaches.

Friday, July 9, 2021