The Steps In PKI Certificate Removal For S/MIME Digital Email

With every SSL/TLS product, there are several factors that are the same. These from the definition of SSL, or what makes all of these products universally recognizable and useful to create a safe exchange of information online through email or data transmitted from a website to a server.

One of the essential central elements of any SSL/TLS product from the PKI certificates for domains and subdomains through to the Personal Authentication Certificates for email is the need for the Certificate Authority to provide an issue date and an expiry date.

Between these two dates the cert will be in effect and the public and private key can be used for encryption or decryption depending on the type of certificate. The keys are actually programmed to operate only during the term of the certificate, or the time between the date of issuance and the expiration date.

This is also true for the S/MIME (Secure Multipurpose Mail Extensions) digital email certificates. As you will have your own cert installed as well as the certificates of those you exchange encrypted email, there may be a time when you choose to complete a removal.

A Word of Warning

Before attempting any PKI certificate removal it is essential to consider several different issues. If you currently have email from the certificate owner in encrypted form if you choose to complete the PKI certificate removal you will no longer be able to access and read that email.

This is not just email that has yet to be received. Rather, it includes all email that is currently on your email client from that sender or those senders. The decryption will no longer be possible because the certificate is bound to the public key for that account. Removing the certificate from the certificate store will remove the public key, preventing your email client from being able to read the encrypted messages.

However, if you do accidentally choose removal by mistake, you can enter the certificate again. Simply go through the process of importing the digital certificate again and configuring it to the email client as per the original method used.

System By System

There is a different process used by each browser, email client or device to complete PKI certificate removal. By simply searching our knowledgebase using the specific email client, browser or device you can find step-by-step instructions for the process.

In most cases, it is a simple procedure that will include going back into your Settings and Options section and then clicking on the Advanced or similar section and then viewing a list of the certificates installed on the system or device. Make sure you are in the personal section or the "your certificates" area. Do not delete certificates from other categories unless you are very sure of the correct process and the issues potentially caused by making this type of a removal.

Generally, the actual PKI certificate removal is as simple as highlighting or clicking on the specific certificate and then clicking delete. Most people will do this with any expired certificates to simply remove them off the system to avoid clutter.

Most systems will also provide you with a confirmation box, ensuring you wished to actually delete the certificate. Clicking the yes or confirm button will complete the process. The specific certificate should no longer be displayed on your listing under the appropriate personal or the "your certificates" tab.

Businesses also typically remove all expired certificates to make it manageable through the various certificate management tools. An IT professional may also wish to simply file these expired certificates if the system is configured to archive keys.

For these more advanced types of PKI certificate removal where there may be dozens of certs to remove at one time, it is possible to use a command line to remove those expired certs from the master list. There is also a command that can be used to remove any failed requests for certs.

Keep in mind that removing a certificate is not the same as revoking a certificate. Only the CA or a designated administrator using our Comodo EPKI Manager can revoke a certificate. If you need to revoke a Personal Authentication Certificates you will need to provide the password you provided when you submitted the application.

To learn more about removing a PKI certificate and what products you may want to consider as a replacement, see our sales team online at You can use our live chat system from the website or give us a call at +1 888 266 6361 to get started.

Related Articles
Back to TOP