[RESOLVED] How do I make a .crt (certificate) file that actually can be uninstalled correctly?

[Ben321]

Ok so I have used makecert.exe to create a self signed CA certificate (cert type "authority") with private key, and then used as the Issuer certificate and key to create a new certificate (this one of type "end", as in End User). In both cases, I also used and pvk2pfx.exe to combine the private key with the cert into a single PFX file. So I can doubleclick that PFX file in Windows Explorer and install it. As it should, it puts it in the "Personal" certificate store (when using CertMgr.exe to view the certificate, it appears in the "Personal" tab).
So now I have 6 files
SelfSignedCA.crt
SelfSignedCA.pvk
SelfSignedCA.pfx
TestUser.crt
TestUser.pvk
TestUser.pfx

Ok. So far so good. Now lets say I want to share that certs (but not private keys) called SelfSignedCA.crt and TestUser.crt to others so that others can use TestUser.crt to validate/verify any files I sign (such as drivers) with the TestUser.crt (which won't function of course unless SelfSignedCA.crt is also installed). So now I can share these 2 files with others and provide instructions for how to install them manually on their computers.

I've tested it myself to try to understand how it works so I could write correct installation instructions I'd need to give to others. As expected, when you install SelfSignedCA.crt, it appears in the "Intermediate Certification Authorities" tab of CertMgr.exe during automatic detection of location to install it, and you can manually override that by manually setting the location to "Trusted Root Certification Authorities".

The problem comes when I then try to install TestUser.crt. Its automatic installation puts it in the "Other People" tab of CertMgr.exe (not the "Personal" tab as I was hoping for). The big problem with this when a certificate gets installed in the "Other People" tab, you can't delete it from within CertMgr.exe. The Remove button is grayed out, and if you press the delete key with with the certificate selected you will see an error that says "You do not have permission to delete some or all of the selected certificates". The ONLY way to get rid of this certificate is go to RegEdit.exe and go to the registry key HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\ADDRESSBOOK\Certificates\ and then find the sub key which contains a binary type registry value called Blob, which after viewing should show (burried in with the other raw binary values which aren't ascii characters) the string that is the name of the certificate in ascii (1-byte per character) values. Once you find the subkey who's Blob value contains the name of the certificate you want to delete, you can delete that subkey. This is an TERRIBLY INEFFICIENT way to remove a certificate. I would NEVER want to make my end users need to do this to remove a certificate.

And if you try to manually set the install location to "Personal", you will find that it says that it installed correctly, but when you look in the "Personal" tab of CertMgr.exe, it won't be there. In fact, it won't be in ANY of the tabs. After searching around I discovered that it did get installed, and it is in the folder:
C:\Users\MYNAME\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\
So once again, you need to go there, and this time look inside the file with a hex editor to make sure it's the correct one, once again looking for an ascii string burried in a sea of values that are mostly not for ascii text, but are raw binary values. After finding the correct file, you can delete it. As before, this is NOT a good solution at all, and I would NEVER want to make my end users need to do this to delete signature verification certificate, once they were done using it.

The ONLY good solutions are ones in which the certificate can be quickly and easily deleted from within CertMgr.exe so I still need to find a good solution for issuing certificates, so that I can provide decent instructions on REMOVAL of the certificates when the end user is done using them for verifying any files I make that they may wish to verify.

[Ben321]

Ok so it looks like in both these scenarios where it can't be deleted (or even found) easily, it actually does get installed in a way that it can be found by the certificate manager. It's just that the CertMgr.exe that comes with the Windows SDK doesn't see it in Personal, or sees it but doesn't let you delete it if it's in Other People.

The solution I found is if I use Certificates snapin in MMC (Microsoft Management Console) I can successfully see all the certificates and delete any of them too. Just run mmc.exe and then in the file menu go to Add/Remove Snapin, and doubleclick the Certificates snapin. Then select My User Account (or if you want to see the machine certificates instead of the current user certificates, select Computer Account), and press the Finish button. Then click Ok. You'll now be able to view and remove all the certificates that I was previously unable to remove.

These instructions work in Windows 10. I've not verified them in Windows 8.1, 8, 7, Vista, or XP, but they may work on those previous Windows versions as well.


Update:
You can also save the current state of the MMC (such as after the certificates snapins have been loaded) to an MSC file so you can run it later, by simply double clicking the MSC file from Windows Explorer. In fact, I've saved just an MSC file with both Certificates snapins loaded (both the My User Account and Computer Account certificates snapins loaded). I've zipped it to make it attachable and attached it to this message.

[jdc2000]

Thanks for the update. This looks like it will be quite useful.