When deleting a certificate, only a nickname can be passed in to certutil with -n. In many cases (eg. cert renewals), there are multiple certificates under a given nickname. But customers only want to delete a specific one. certutil currently will only delete one certificate under the specified nickname, and uses a non-deterministic method to select which one. I propose that : - we add an option serial number option to be used in conjunction with -D and -n, to select a specific cert by serial number - if a serial number isn't passed in certutil should always look for multiple cert under the given nickname, and if it finds more than one, should prompt the user if he wants to delete all of them at once. I realize there could still be two certs with the same subject and serial number if they were from different issuers, but I don't think it's common enough to warrant passing an additional issuer argument to differentiate them in this case. We would just delete all the certs match the serial # specified if there is more than one.