Remove a certificate from the Windows “Network Service” certificate store

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Remove a certificate from the Windows “Network Service” certificate store was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, certificate, , , .

I have a service, running with the “Network Service” permissions that installed a certificate into the “personal certificate store” for the “Network Service”.

For reasons that are beyond the scope of this question, I need to remove that certificate, but using the MMC’s “Certificates” snap-in I failed to find that certificate. I tried opening the certificate store for “Service”->”Local machine”->”Service name”, but there’s nothing there while the service definitely reports that it sees the certificate.

Any idea how do I access that personal certificate store?

Registry editor.

HKEY_USERSS-1-5-20SoftwareMicrosoftSystemCertificatesMy

S-1-5-20 is the Network Service account. “My” represents the Personal store.

Delete the entries from there.

Source: http://support.microsoft.com/kb/185059

You don’t have to mess with Registry, see: How do you install a certificate in a PFX file in to the personal container of the NT-AUTHORITYNetworkService?
It is talking about installation, but nothing prevents you from deleting a certificate.

Using psexec utility from Microsoft / sysinternals did the trick for me.

  1. Download psexec. https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

  2. Open up a new console using psexec that will run as NETWORK SERVICE:

    .PsExec64.exe -i -u “nt authoritynetwork service” powershell

  3. Run mmc

  4. Add snapin for Certificate and use certificates from “My User Account”

  5. Do whatever you want with the personal certificates for this account

All personal certificates should be visible for NETWORK SERVICE now.

This was at least needed for me to run the tool mage.exe that had a hard time doing code signing under the NETWORK SERVICE account since it only uses personal certificates.

Leave a Reply

Your email address will not be published.