- 3 minutes to read
Cleanup and Diagnostic Script – Certificate Purpose and EKU Testing
Remove all test certificates and the test Root CA after EKU validation testing, and diagnose any certificates that were not cleaned up as expected.
Important
This cleanup script removes both the 6 test certificates (from
LocalMachine\My) and the Nodinite Test Root CA (fromLocalMachine\Root). This ensures complete cleanup of the test PKI infrastructure.
Warning
Run this script after every test session. Never leave test certificates in production environments.
Cleanup Script
# Cleanup all Nodinite Certificate Purpose & EKU test certificates
Write-Host "=== Cleaning up Certificate Purpose test certificates ===" -ForegroundColor Magenta
$removed = 0
$failed = 0
# Certificate stores to clean
# Test CA is in Root store; issued certs are in My store
$stores = @(
"LocalMachine\My", # Personal certificates (6 test certs)
"LocalMachine\Root" # Trusted Root CA (test Root CA)
)
# Filter for test certificates
$filter = {
$_.Subject -like "*Nodinite-Test-*" -or
$_.Subject -like "*Nodinite Testing*" -or
$_.FriendlyName -like "Nodinite Test -*"
}
# Process each store
foreach ($store in $stores) {
Write-Host "`nCleaning $store store..." -ForegroundColor Cyan
$certs = Get-ChildItem "Cert:\$store" -ErrorAction SilentlyContinue | Where-Object $filter
foreach ($cert in $certs) {
try {
Write-Host " Removing: $($cert.Subject) [$($cert.Thumbprint)]" -ForegroundColor Gray
Remove-Item -Path "Cert:\$store\$($cert.Thumbprint)" -Force -ErrorAction Stop
$removed++
} catch {
Write-Host " Failed: $($_.Exception.Message)" -ForegroundColor Red
$failed++
}
}
}
Write-Host "`n=== Cleanup Summary ===" -ForegroundColor Green
Write-Host " Removed: $removed certificates" -ForegroundColor Cyan
Write-Host " Failed: $failed certificates" -ForegroundColor $(if ($failed -gt 0) { "Red" } else { "Green" })
Diagnostic Script
If certificates are not being cleaned up as expected, use this script to scan all certificate stores and identify what Nodinite is detecting:
# Diagnostic: Find all test certificates with full details
Write-Host "=== Certificate Diagnostic Tool ===" -ForegroundColor Magenta
Write-Host "Searching for test certificates across all properties..." -ForegroundColor Cyan
$allCerts = @()
$stores = @(
"LocalMachine\My",
"LocalMachine\Root"
)
# Scan all certificate stores
foreach ($store in $stores) {
Write-Host "`nScanning $store..." -ForegroundColor Yellow
$count = 0
Get-ChildItem "Cert:\$store" -ErrorAction SilentlyContinue | ForEach-Object {
$allCerts += [PSCustomObject]@{
Store = $store
Subject = $_.Subject
FriendlyName = $_.FriendlyName
Thumbprint = $_.Thumbprint
NotAfter = $_.NotAfter
Issuer = $_.Issuer
}
$count++
}
Write-Host " Found $count total certificate(s) in store" -ForegroundColor Gray
}
# Filter for test certificates
Write-Host "`nFiltering for test certificates..." -ForegroundColor Yellow
$testCerts = $allCerts | Where-Object {
$_.Subject -like "*Nodinite-Test-*" -or
$_.Subject -like "*Nodinite Testing*" -or
$_.FriendlyName -like "Nodinite Test -*" -or
$_.Issuer -like "*Nodinite Testing*"
}
if ($testCerts.Count -eq 0) {
Write-Host "`nNo test certificates found. Cleanup is complete." -ForegroundColor Green
} else {
Write-Host "`nFound $($testCerts.Count) test certificate(s):" -ForegroundColor Cyan
$testCerts | Format-Table Store, Subject, Thumbprint -AutoSize -Wrap
Write-Host "`nBreakdown by store:" -ForegroundColor Cyan
$testCerts | Group-Object Store | ForEach-Object {
Write-Host " $($_.Name): $($_.Count) certificate(s)" -ForegroundColor White
}
Write-Host "`nTo remove these certificates, run the cleanup script above." -ForegroundColor Yellow
}
Next Steps
- Return to FAQ - Certificate Purpose and EKU Testing Scenarios to confirm all validation checklist items are complete