To remove unused Windows 2000 Certificate Server key pairs, you would use the Certutil.exe utility, which is available on a Windows 2000 server that has Certificate Services installed:

1. To list the installed keys, open a CMD.EXE window and type:

certutil -key

2. The container names for installed Certification Authorities are listed under Microsoft Base Cryptographic Provider v1.0.

3. To delete an unused container, type:

certutil -delkey <CA_Name>.

NOTE: See How to Use Key and Certificate Backup/Restore Utility.