Microsoft CA Database Cleanup

Performing a Microsoft CA Database cleanup is a fairly simple task that every PKI administrator should complete regularly. Why, you ask. Well, there is no point in keeping expired certificates around as they no longer serve a purpose. Doh! Believe it or not, we can also remove failed and stale pending certificate requests from the database. Without further ado, let’s get right into how to easily perform a Micorosft CA database cleanup.

QuickSteps – Microsoft CA Database Cleanup

Run the following CERTUTIL commands in Windows PowerShell or Command Prompt to clean up the CA database:

certutil –backupdb c:\temp
certutil -deleterow mm/dd/yyyy request
certutil -deleterow mm/dd/yyyy cert
certutil -databaselocations
net stop certsvc
C:\Windows\System32\esentutl /d "FULL-PATH-TO-EDB-FILE”
net start certsvc
  • Please note that for larger databases the deleterow command can take hours or even days to complete. If it is taking a while, simply walk away and check again at a later time.
  • mm/dd/yyyy refers to the expiration date for certificates up to which to delete database records (submission date for requests) . This should be some date in the past!
  • FULL-PATH-TO-EDB-FILE refers to the database (.edb) file location and name. For example, c:\windows\system32\CertLog\CAServerName.edb, where CAServerName is the name of the Certification Authority. To find this path simply run the command certutil -databaselocations.

About the Microsoft CA Database

A Microsoft CA stores information about its certificates, requests and published templates in what is called an Extensible Storage Engine (ESE) Database File (EDB), also known as JET Blue. This file is usually located in the C:\Windows\System32\CertLog directory and is named CAServerName.edb where CAServerName is the name of the Certification Authority.

In order to view the contents of this database file on a Microsoft CA server we would open a Certification Authority snap-in by running the certsrv.msc command or via MMC Console (mmc.msc).

Microsoft CA Database Cleanup 1

The database (.edb) file can get quite large in some PKI environments and should, hence, be regularly maintained.

Microsoft CA Database Cleanup Procedure

Step 1 – Perform a database backup
certutil –backupdb c:\temp

Microsoft CA Database Cleanup 2 - DB Backup

Step 2 – Delete failed and pending requests
certutil -deleterow mm/dd/yyyy request

Microsoft CA Database Cleanup 3 - deleterow request

Step 3 – Delete expired certificates
certutil -deleterow mm/dd/yyyy cert

Microsoft CA Database Cleanup 4 - deleterow cert

Step 4 – Find database location
certutil -databaselocations

Microsoft CA Database Cleanup 5 - database locations

Step 5 – Compact the database

Note: The Active Directory Certificate Services (CertSvc) service must be stopped before running the esentutl command and then re-started after defragmentation completes.

net stop certsvc
C:\Windows\System32\esentutl /d "FULL-PATH-TO-EDB-FILE”
net start certsvc

Microsoft CA Database Cleanup 7 - Compact Database

Step 6 – Verify database size was reduced

Microsoft CA Database Cleanup – Before
Microsoft CA Database Cleanup 6 - Filesize Before

Microsoft CA Database Cleanup – After
Microsoft CA Database Cleanup 8 - Filesize After

 

Now that we have cleaned up the database, our CA database file size went from a whopping 2.7GB to a mere 97MB. What were your BEFORE and AFTER database (.edb) file sizes? Share by posting a comment below! ↓

Leave a Reply

Your email address will not be published. Required fields are marked *