Deleting old keys on Smart Card

If you use your smart card a lot and issue many certificates to your Smart Card there will be a moment when the storage on the card will get too small to accommodate new certificates. In most cases your IT department might ask you to send your card back for replacement or they will tell you to issue replacement certificates while reusing the same private key – too keep the size of new certificates on the card to a minimum.

But it is fairly easy to delete old certificates from your card and free up space on it.

Do delete certificate on Smart Card use the following command:

Of course you need to know KeyContainerName before you can run above command.

To find the right container name on the card you can run the following command:

certutil –key –csp "Microsoft Base Smart Card Crypto Provider"

This command will show container names, but it will not show associated certificates with containers.

To list all certificates on the card use the following command:

certutil –scinfo

Make sure to find container corresponding to expired certificate that you want to remove from Smart Card. If you specify wrong container it will delete valid certificate and your card will become useless and then you’ll definitively have to contact help desk.

Here is an example of the “certutil –key –csp "Microsoft Base Smart Card Crypto Provider"” output:

C:\>certutil -key -csp "Microsoft base Smart Card Crypto Provider"

Microsoft base Smart Card Crypto Provider:

484fdef3-4106-40aa-b060-73c36f70db7b

AT_KEYEXCHANGE

c364101a-df8f-49f1-b71d-13c67ec6032f

AT_KEYEXCHANGE

da73e850-19f7-454f-a4e9-7ceb15aa4b0d

AT_KEYEXCHANGE

le-S/MIMESignatureSmartcard-5-05811

AT_SIGNATURE

le-MSSmartcardUser-02c869ab-c62d--61905 [Default Container]

AT_KEYEXCHANGE

CertUtil: -key command completed successfully.