Microsoft CA database cleanup

Sometimes , CA database looks ugly .It is full with failed requests , old un-needed pending requests , and sometimes expired certificates still being reported by the CRL files.

So I’m blogging about what can be cleaned up from the CA database to make it look nice and clean .

CA database contains the following items :

  • Revoked Certificates
  • Issued Certificates
  • Pending Requests
  • Failed Requests

Of Couse , revoked and issued certificates can be in expiration state only , which is important dimension when thinking about cleaning CA database .

It is not possible to delete issued non expired certificates . It is also not possible to delete revoked and not expired certificates because you need to retain revocation status of them.

So the following certificates can be deleted from a CA database :

  • Issued and expired certificates
  • Revoked and expired certificates

In addition , denied and pending requests can be deleted.Those are just requests and no issued certificates are associated with them.

 

How to perform the deletion ?

This is done using the certutil command line along with the deleterow parameter .You need to specify the type of the data to be deleted according to the below table

image

For example, if you want to delete all failed and pending requests submitted by January 22, 2010, the command is:

C:\>Certutil -deleterow 1/22/2010 Request

Note :The only problem with this approach is that certutil.exe will only delete about 2,000 – 3,000 records at a time before failing due to exhaustion of the version store.

There is a great blog with more details about how to compact CA database and do professional cleanup here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s