C# Delete Certificates from a Local Machine Certificates Store

Posted: April 29, 2009 in Uncategorized

The following code compiles to a command line executable that removes a certificate from a Certificate Store based on some properties of the certificates and when a replacement is in place. I’ve also removed a couple of errors from the previous post.

using System;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.IO;
using System.Collections;

 
namespace storetest
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                //Variables
                bool newPresent=false;
                bool oldPresent = false;
                bool newIPSECPresent = false;
                bool oldIPSECPresent = false;
                bool IPSECPresent = false;
                //X509Certificate2 oldcert= new X509Certificate2();
                EventLogger eLog = new EventLogger();
                string issuerName=null;
                ArrayList oldcerts = new ArrayList();

                //Set Store object to the local machine store
                X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
                
                //Set suitable permission
                store.Open(OpenFlags.ReadWrite);
                
                //Loop through the certs
                foreach (X509Certificate2 cert in store.Certificates)
                {
                    Console.WriteLine("");
                    Console.WriteLine("SubjectName:" + cert.SubjectName.Name);
                    issuerName = cert.Issuer;
                    Console.WriteLine("IssuerName:" + issuerName);
                    if (issuerName.Contains("AS-L2CA") || issuerName.Contains("AS-CA"))
                    {
                        oldPresent = true;
                    }
                    if (issuerName.Contains("L1CA"))
                    {
                        newPresent = true;
                    }
                    //Loop through cert extensions
                    foreach (X509Extension ext in cert.Extensions)
                    {
                        //Is it an ipsec
                        if (ext.Format(true).Contains("IP security end system"))
                        {
                            IPSECPresent = true;
                            Console.WriteLine("IPSEC Present");
                        }
                       
                    }
                    //If its from the old ca and ipsec then we can set it to be deleted
                    if (oldPresent && IPSECPresent)
                    {
                        //use array to handle multiples
                        oldIPSECPresent = true;
                        oldcerts.Add(cert);
                    }
                    if (newPresent && IPSECPresent)
                    {
                        newIPSECPresent = true;
                    }
                    //reset test
                    oldPresent = false;
                    newPresent = false;
                    IPSECPresent = false;
                }
                //If the old cert and the new cert exists then delete the old
               if (newIPSECPresent && oldIPSECPresent)
               {
                   //Loop through certificate array removing
                   foreach(X509Certificate2 oldcert in oldcerts){
                       Console.WriteLine("Removed: "+ oldcert.SubjectName.Name);
                       store.Remove(oldcert);
                   }
                    
                   Console.WriteLine("Certificates removed");
                   
                   eLog.updateEventLog("TA IPSEC certificates removed",1);
               }
                //If the old cert is presetn but the new one isnt then alert to log
               if (!newIPSECPresent && oldIPSECPresent)
               {
                   eLog.updateEventLog("No CI IPSEC cert so TA IPSEC cert untouched", 2);
               }
               if (!newIPSECPresent && !oldIPSECPresent)
               {
                   eLog.updateEventLog("No IPSEC Certificates present", 3);
               }
               if (newIPSECPresent && !oldIPSECPresent)
               {
                   eLog.updateEventLog("No TA IPSEC Certificates present", 4);
               }
                Console.WriteLine("End");
            }
            catch (Exception Ex) {
                EventLogger eLog = new EventLogger();
                eLog.updateEventLog(Ex.Message, 5);
                Console.WriteLine(Ex.Message); 
            }
        }
    }
}

Blacklog is a product of Blacktip Ltd

Feel free to link me in Mark Sutton CISSP
View Mark Sutton CISSP's profile on LinkedIn
I can also be found at twitter msutton

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s