The user certificate is associated with existing private key when re-imported


When the certificate snap-in is used to delete the user certificate in user personal store, only the certificate is deleted, the private key is left on the machine. If later the same certificate is imported to user personal store, it’s by design that CAPI2 *may* be able to find the private key even though there was no explicit key association attached to the cert after it was re-imported.

More Information

If you want to delete the private key, the simple way is to export a copy of the cert, with the private key, and select the option to delete the key if the export is successful. You can also delete the key with "certutil -delkey", but the UI is easier for most people.