Topic Last Modified: 2010-12-06

Removes a certificate previously marked as being available for use by Microsoft Lync Server 2010.


Remove-CsCertificate [-Confirm [<SwitchParameter>]] [-Force <SwitchParameter>] [-NetportId <String>] [-Report <String>] [-Type <CertType[]>] [-WhatIf [<SwitchParameter>]]


Parameter Required Type Description




Type of certificate to be deleted. Certificate types include (but are not limited to):







PICWebService (Microsoft Lync Online 2010 only)

ProvisionService (Microsoft Lync Online 2010 only)




For example, this syntax deletes the Default certificate: -Type Default.

You can delete multiple types in a single command by separating the certificate types with commas:

-Type Internal,External,Default




Reserved for future use. This parameter is for certificates dedicated to a specific port, a scenario not yet supported by Lync Server.



Switch Parameter

Bypasses the confirmation prompt that typically occurs if you attempt to delete a certificate that is currently in use.




Enables you to record detailed information about the procedures carried out by Remove-CsCertificate. The parameter value should be the full path to the HTML file to be generated; for example: -Report C:\Logs\Certificates.html. If the specified file already exists it will automatically be overwritten with the new information.



Switch Parameter

Describes what would happen if you executed the command without actually executing the command.



Switch Parameter

Prompts you for confirmation before executing the command.

Detailed Description

Lync Server 2010 uses certificates as a way for servers and server roles to verify their identities; for example, an Edge Server uses certificates to verify that the computer it is communicating with really is a Front End Server, and vice versa. In order to fully implement Lync Server, you will need to have the appropriate certificates assigned to the appropriate server roles.

The Remove-CsCertificate cmdlet provides a way for you to remove certificates currently in use by Lync Server. Remove-CsCertificate does not actually delete the certificate itself; instead, it marks the certificate as no longer being available for use by Lync Server, removes any certificate bindings, and revokes access permissions to the certificate (assuming no other service is using the certificate). Among other things, this means that the certificate will no longer appear when you run the Get-CsCertificate cmdlet.

To again use the certificate with Lync Server you will need to reassign the certificate to Lync Server 2010 by using the Set-CsCertificate cmdlet.

If you try to remove a certificate that is currently in use, Remove-CsCertificate will be ask if you are sure that you want to remove the certificate; the certificate cannot be removed until you respond to that prompt. To bypass the prompt, and silently delete a certificate even if it is currently in use, add the Force parameter to your command:

Remove-CsCertificate –Type WebServicesExternal -Force

Who can run this cmdlet: You must be a local administrator and a member of the domain in order to run the Remove-CsCertificate cmdlet locally. To return a list of all the role-based access control (RBAC) roles this cmdlet has been assigned to (including any custom RBAC roles you have created yourself), run the following command from the Windows PowerShell prompt:

Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Remove-CsCertificate"}

Input Types

None. Remove-CsCertificate does not accept pipelined input.

Return Types

None. Instead, Remove-CsCertificate deletes instances of the Microsoft.Rtc.Management.Deployment.CertificateReference object.


-------------------------- Example 1 ------------------------

Copy Code
Remove-CsCertificate -Type WebServicesExternal

The command shown in Example 1 deletes all the WebServicesExternal certificates available to Lync Server. If any of these certificates are currently being used, Remove-CsCertificate will ask you if you are sure you want to remove the certificate; you must respond to that prompt before the command can complete. To bypass the confirmation prompt, use the Force parameter:

Remove-CsCertificate –Type WebServicesExternal -Force

See Also