Microsoft CA Database Cleanup

Performing a Microsoft CA Database cleanup is a fairly simple task that every PKI administrator should complete regularly. Why, you ask. Well, there is no point in keeping expired certificates around as they no longer serve a purpose. Doh! Believe it or not, failed and stale pending certificate requests can also be removed from the database. Without further ado, let’s get right into how to easily perform a Micorosft CA database cleanup.

QuickSteps – Microsoft CA Database Cleanup

Run the following CERTUTIL commands in Windows PowerShell or Command Prompt to clean up the CA database:

certutil –backupdb c:\temp
certutil -deleterow mm/dd/yyyy request
certutil -deleterow mm/dd/yyyy cert
certutil -databaselocations
net stop certsvc
C:\Windows\System32\esentutl /d "FULL-PATH-TO-EDB-FILE”
net start certsvc
  • Please note that for larger databases the deleterow command can take hours or even days to complete. If it is taking a while, simply walk away and check again at a later time.
  • mm/dd/yyyy refers to the certificate expiration date up to which to delete database records (submission date for requests) . This should be some date in the past! Do not delete unexpired certificates.
  • FULL-PATH-TO-EDB-FILE refers to the database (.edb) file location and name. For example, c:\windows\system32\CertLog\CAServerName.edb, where CAServerName is the name of the Certification Authority. To find this path simply run the command certutil -databaselocations.

About the Microsoft CA Database

A Microsoft CA stores information about its certificates, requests and published templates in what is called an Extensible Storage Engine (ESE) Database File (EDB), also known as JET Blue. This file is usually located in the C:\Windows\System32\CertLog directory and is named CAServerName.edb where CAServerName is the name of the Certification Authority.

In order to view the contents of this database file on a Microsoft CA server we would open a Certification Authority snap-in by running the certsrv.msc command or via MMC Console (mmc.msc).

Microsoft CA Database Cleanup 1

The database (.edb) file can get quite large in some PKI environments and should, hence, be regularly maintained.

Microsoft CA Database Cleanup Procedure

Step 1 – Perform a database backup
certutil –backupdb c:\temp

Microsoft CA Database Cleanup 2 - DB Backup

Step 2 – Delete failed and pending requests
certutil -deleterow mm/dd/yyyy request

Microsoft CA Database Cleanup 3 - deleterow request

Step 3 – Delete expired certificates
certutil -deleterow mm/dd/yyyy cert

Microsoft CA Database Cleanup 4 - deleterow cert

Step 4 – Find database location
certutil -databaselocations

Microsoft CA Database Cleanup 5 - database locations

Step 5 – Compact the database

Note: The Active Directory Certificate Services (CertSvc) service must be stopped before running the esentutl command and then re-started after defragmentation completes.

net stop certsvc
C:\Windows\System32\esentutl /d "FULL-PATH-TO-EDB-FILE”
net start certsvc

Microsoft CA Database Cleanup 7 - Compact Database

Step 6 – Verify database size was reduced

Microsoft CA Database Cleanup – Before
Microsoft CA Database Cleanup 6 - Filesize Before

Microsoft CA Database Cleanup – After
Microsoft CA Database Cleanup 8 - Filesize After

 

Now that we have cleaned up the database, our CA database file size went from a whopping 2.7GB to a mere 97MB. What were your BEFORE and AFTER database (.edb) file sizes? Share by posting a comment below! ↓

5 thoughts on “Microsoft CA Database Cleanup

  1. Excellent guide for Microsoft CA Database Cleanup.
    Thank you very much for sharing. It helped me understand the cleanup process.

  2. Thanks! Straightforward and direct instructions. Disk size did seem to increase after deleting some expired certs.

  3. Thanks for the guide….
    I am running into an issue which i am talking about on reddit here – https://www.reddit.com/r/sysadmin/comments/1cp5478/cleaning_up_ca_seems_to_have_hung_anyone_have/

    Basically the command “certutil -deleterow mm/dd/yyyy request” is hanging and the CPU used by certsvc.exe goes to 100%.
    My gut feel is that there is a corrupt record or similar that is getting the process stuck into a loop. Have you seen that before? or have any suggestions on what i can do to get around it ?

  4. Hi Ben. We’ve seen certutil -deleterow run upwards of 3 days. We’d normally just walk away and let it do its thing. We’ve on several occasions also just hit CTRL+c to stop it and then kick it off at a later, more convenient, time. Best is to just let it run as long as it needs to complete. Maybe kick it off on a Friday evening or during off hours to allow it to complete. From our experience, in each case, it always eventually completes.

Leave a Reply

Your email address will not be published. Required fields are marked *