Performing a Microsoft CA Database cleanup is a fairly simple task that every PKI administrator should complete regularly. Why, you ask. Well, there is no point in keeping expired certificates around as they no longer serve a purpose. Doh! Believe it or not, failed and stale pending certificate requests can also be removed from the database. Without further ado, let’s get right into how to easily perform a Micorosft CA database cleanup.
QuickSteps – Microsoft CA Database Cleanup
Run the following CERTUTIL commands in Windows PowerShell or Command Prompt to clean up the CA database:
certutil –backupdb c:\temp
certutil -deleterow mm/dd/yyyy request
certutil -deleterow mm/dd/yyyy cert
certutil -databaselocations
net stop certsvc
C:\Windows\System32\esentutl /d "FULL-PATH-TO-EDB-FILE”
net start certsvc- Please note that for larger databases the deleterow command can take hours or even days to complete. If it is taking a while, simply walk away and check again at a later time.
- mm/dd/yyyy refers to the certificate expiration date up to which to delete database records (submission date for requests) . This should be some date in the past! Do not delete unexpired certificates.
- FULL-PATH-TO-EDB-FILE refers to the database (.edb) file location and name. For example, c:\windows\system32\CertLog\CAServerName.edb, where CAServerName is the name of the Certification Authority. To find this path simply run the command
certutil -databaselocations.
About the Microsoft CA Database
A Microsoft CA stores information about its certificates, requests and published templates in what is called an Extensible Storage Engine (ESE) Database File (EDB), also known as JET Blue. This file is usually located in the C:\Windows\System32\CertLog directory and is named CAServerName.edb where CAServerName is the name of the Certification Authority.
In order to view the contents of this database file on a Microsoft CA server we would open a Certification Authority snap-in by running the certsrv.msc command or via MMC Console (mmc.msc).
The database (.edb) file can get quite large in some PKI environments and should, hence, be regularly maintained.
Microsoft CA Database Cleanup Procedure
Step 1 – Perform a database backup
certutil –backupdb c:\temp
Step 2 – Delete failed and pending requests
certutil -deleterow mm/dd/yyyy request
Step 3 – Delete expired certificates
certutil -deleterow mm/dd/yyyy cert
Step 4 – Find database location
certutil -databaselocations
Step 5 – Compact the database
Note: The Active Directory Certificate Services (CertSvc) service must be stopped before running the esentutl command and then re-started after defragmentation completes.
net stop certsvc
C:\Windows\System32\esentutl /d "FULL-PATH-TO-EDB-FILE”
net start certsvc
Step 6 – Verify database size was reduced
Microsoft CA Database Cleanup – Before
Microsoft CA Database Cleanup – After
Now that we have cleaned up the database, our CA database file size went from a whopping 2.7GB to a mere 97MB. What were your BEFORE and AFTER database (.edb) file sizes? Share by posting a comment below! ↓
One thought on “Microsoft CA Database Cleanup”
Excellent guide for Microsoft CA Database Cleanup.
Thank you very much for sharing. It helped me understand the cleanup process.