Why certutil makes difference between – and -

Today I had to troubleshoot certutil. Not a big deal, it was about a removal of a certificate from a smartcard. Usually this takes about 5-15 seconds depending on the method you are using, but today when I helped my boss Mats with his smartcard, certutil didn’t work as expected, and I had to troubleshoot for several minutes.

The funny thing was that the command I have been using MANY times, didn’t work. The command to remove a certificate from a smartcard that is using the Base CSP is certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "id" (replace “id” with your key container).

However, depending on if this command was copied from a chat/e-mail or not, the output of the command differed. Kind of funny actually.

certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "id" working (but canceled by me).

certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "id" not working (and says that it has too many arguments).

I copied both text strings to notepad and couldn’t see any difference.

My dear friend, the developer Mattias Åslund, mentioned to me later that Microsoft Word could do these things sometimes and do formatting changes that are “hidden” for the cmd console, so I decided to try to copy the text strings into Word.

Just as expected! Word revealed the hidden formatting of the lower line!

After a replacement of the – manually in the cmd console, everything worked fine and my boss could remove his certificate again.

Perhaps I should do like my dear friend Chrisse says and use certutil /delkey /csp "Microsoft Base Smart Card Crypto Provider" "id" instead, to be able to avoid these issues in the future?

// Fredrik “DXter” Jonsson