Performing a Microsoft CA Database cleanup is a fairly simple task that every PKI administrator should complete regularly. Why, you ask. Well, there is no point in keeping expired certificates around as they no longer serve a purpose. Doh! Believe it or not, we can also remove failed and and stale pending certificate requests from the database. Without further ado, let’s get right into how to easily perform a Micorosft CA database cleanup.
QuickSteps – Microsoft CA Database Cleanup
Run the following CERTUTIL commands in Windows PowerShell or Command Prompt:
certutil –backupdb c:\temp
certutil -deleterow mm/dd/yyyy request
certutil -deleterow mm/dd/yyyy cert
certutil -databaselocations
net stop certsvc
C:\Windows\System32\esentutl /d "FULL-PATH-TO-EDB-FILE”
net start certsvc- Please note that for larger databases the deleterow command can take hours or even days to complete. If it is taking a while, simply walk away and check again at a later time.
- mm/dd/yyyy refers to the expiration date for certificates up to which to delete database records (submission date for requests) . This should be some date in the past!
- FULL-PATH-TO-EDB-FILE refers to the database (.edb) file location and name. For example, c:\windows\system32\CertLog\CAServerName.edb, where CAServerName is the name of the Certification Authority. To find this path simply run the command
certutil -databaselocations.
About the Microsoft CA Database
A Microsoft CA stores information about its certificates, requests and published templates in what is called an Extensible Storage Engine (ESE) Database File (EDB), also known as JET Blue. This file is usually located in C:\Windows\System32\CertLog and is named CAServerName.edb where CAServerName is the name of the Certification Authority.
In order to view the contents of this database file on a Microsoft CA server we would open a Certification Authority snap-in by running the certsrv.msc command or via MMC Console (mmc.msc).
The database (.edb) file can get fairly large in some PKI environments and should, hence, be regularly maintained.
Microsoft CA Database Cleanup Procedure
Step 1 – Perform a database backup
certutil –backupdb c:\temp
Step 2 – Delete failed and pending requests
certutil -deleterow mm/dd/yyyy request
Step 3 – Delete expired certificates
certutil -deleterow mm/dd/yyyy cert
Step 4 – Find database location
certutil -databaselocations
Step 5 – Compact the database
Note: The Active Directory Certificate Services (CertSvc) service must be stopped before running the esentutl command and then re-started after defragmentation completes.
net stop certsvc
C:\Windows\System32\esentutl /d "FULL-PATH-TO-EDB-FILE”
net start certsvc
Step 6 – Verify database size was reduced
Microsoft CA Database Cleanup – Before
Microsoft CA Database Cleanup – After
Now that we have cleaned up the database, our .edb file size went from a whopping 2.7GB to a mere 97MB. What were your BEFORE and AFTER database (.edb) file sizes? Share by posting in the comments below.
Great job!