Sometimes , CA database looks ugly .It is full with failed requests , old un-needed pending requests , and sometimes expired certificates still being reported by the CRL files.
So I’m blogging about what can be cleaned up from the CA database to make it look nice and clean .
CA database contains the following items :
- Revoked Certificates
- Issued Certificates
- Pending Requests
- Failed Requests
Of Couse , revoked and issued certificates can be in expiration state only , which is important dimension when thinking about cleaning CA database .
It is not possible to delete issued non expired certificates . It is also not possible to delete revoked and not expired certificates because you need to retain revocation status of them.
So the following certificates can be deleted from a CA database :
- Issued and expired certificates
- Revoked and expired certificates
In addition , denied and pending requests can be deleted.Those are just requests and no issued certificates are associated with them.
How to perform the deletion ?
This is done using the certutil command line along with the deleterow parameter .You need to specify the type of the data to be deleted according to the below table
For example, if you want to delete all failed and pending requests submitted by January 22, 2010, the command is:
C:\>Certutil -deleterow 1/22/2010 Request
Note :The only problem with this approach is that certutil.exe will only delete about 2,000 – 3,000 records at a time before failing due to exhaustion of the version store.
There is a great blog with more details about how to compact CA database and do professional cleanup here