If you want to delete existing certificates on a smart card, follow these steps:
Start PowerShell (or cmd, since we do not actually use PS-commands)
Insert the smart card in a reader
Run the command certutil -scinfo
Enter PIN if prompted
Verify that the certificate that is shown is the one you want to delete:
Note. There may be more than one certificate on the smart card. All will be shown in the list.
Look for the values Provider and Key Container in the output from certutil:
The example shows the values for Certificate 0. If the certificate was issued from a Certificate Template, the template name can be a part of the Key Container name, such as this: “le-TomDemoSmartcardLogon-e5a89709-33996”.
The [Default Container] indicates that this is the most recent certificate created/added to the smart card. Earlier versions of Windows could only use the default container for smart card login, but now you can select any certificate on the card at logon.
If you have more than one certificate, look for the same values, but for Certificate 1, Certificate 2 and so on further down in the output. Note that if you delete Certificate 0, and then runs this command again, Certificate 1 will then have become Certificate 0.
Run the following command to delete the certificate. You must run these from an elevated shell:
certutil -delkey -csp “<name of CSP>” “<key container>”
For the example above, the command would look like this:
certutil -delkey -csp “Microsoft Base Smart Card Crypto Provider” “fd21e7e6-b9dd-4a08-6e4d8b2680792ec”
Enter the PIN
You should see this output:
If the smart card is empty, this is the expected output, with no prompt for PIN-code: