This guide provides steps to delete users' S/MIME certificates and private keys stored locally, as well as instructions for removing wrapped keys from the Google Admin Console for Gmail Client-Side Encryption (CSE) with the Virtru Private Keystore.
1. Deleting Certificates and Keys Locally
Use the following commands to delete certificates and private keys from the specified directories. Double-check paths to avoid deleting unintended files.
Delete All User Certificates and Keys
To remove all user certificates and private keys stored locally:
Delete a Specific User’s Certificate and Key
To delete certificates and keys for a specific user, replace user@domain.com
with the user’s email prefix:
Verify Deletion
List the directory contents to confirm the files were removed:
2. Deleting Wrapped Keys Locally and on Google Admin Console
Delete Wrapped Keys Locally
Wrapped keys may be stored in a designated directory, such as /var/virtru/cse/wrapped-private-keys
. Use the following commands to delete them.
- Delete All Wrapped Keys
- Delete a Specific User’s Wrapped Key
Delete Wrapped Keys on Google Admin Console
To delete S/MIME certificates (wrapped keys) for users in Google Workspace, you can remove certificates manually in the Admin Console or automate the process using the Google Admin SDK API.
Method A: Using the Google Admin Console
- Log in to the Google Admin Console.
- Navigate to Apps > Google Workspace > Gmail > User Settings.
- Choose a user and scroll down to S/MIME settings.
- Locate the certificate you want to delete and click the delete (trash) icon.
Method B: Using the Google Admin SDK API (Automated)
For batch deletion or automation:
-
Enable the Admin SDK API if it’s not already active for your project.
-
Authenticate with OAuth 2.0 using a service account with domain-wide delegation.
-
Use the API endpoint below to delete the certificate for each user:
Replace:
-
{userKey}
with the user’s email address. -
{smimeId}
with the S/MIME certificate ID (retrieve this by listing certificates for the user).
-
-
For multiple users, script this API call to loop through each email.
3. Verify Deletion
To confirm deletion:
-
Locally: Verify that the
/var/virtru/cse/wrapped-private-keys/
directory is empty or contains no keys for deleted users. - On Google Admin Console: Check that the S/MIME certificate no longer appears in the user’s settings.
Important Note
These deletions are permanent. Double-check paths, and ensure any required backups are taken before proceeding.