Delete certificates on smart cards

If you want to delete existing certificates on a smart card, follow these steps:

Start PowerShell (or cmd, since we do not actually use PS-commands)

Insert the smart card in a reader

Run the command certutil -scinfo

Enter PIN if prompted

Verify that the certificate that is shown is the one you want to delete:


Note. There may be more than one certificate on the smart card. All will be shown in the list.

Look for the values Provider and Key Container in the output from certutil:


The example shows the values for Certificate 0. If the certificate was issued from a Certificate Template, the template name can be a part of the Key Container name, such as this: “le-TomDemoSmartcardLogon-e5a89709-33996”.

The [Default Container] indicates that this is the most recent certificate created/added to the smart card. Earlier versions of Windows could only use the default container for smart card login, but now you can select any certificate on the card at logon.

If you have more than one certificate, look for the same values, but for Certificate 1, Certificate 2 and so on further down in the output. Note that if you delete Certificate 0, and then runs this command again, Certificate 1 will then have become Certificate 0.

Run the following command to delete the certificate. You must run these from an elevated shell:

certutil -delkey -csp “<name of CSP>” “<key container>”

For the example above, the command would look like this:

certutil -delkey -csp “Microsoft Base Smart Card Crypto Provider” “fd21e7e6-b9dd-4a08-6e4d8b2680792ec”

Enter the PIN

You should see this output:


If the smart card is empty, this is the expected output, with no prompt for PIN-code:


About Tom Aafloen

IT Security Advisor @ Onevinn
This entry was posted in PKI, smart card and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s