Microsoft Certification Authority Database

Microsoft CA database cleanup is something most admins forget to do or do not care to perform.

Certification Authority database contains a record for certificates issued, and all pending and failed requests. Revoked certificates are also maintained in the database, so that a CRL or certificate revocation list could be generated in regular fashion.

In a big and busy certification authority, with many users, computers, and services requesting digital certificates from the certification authority, you end up with a big database with a lot of garbage records if I may.

I want to share with you what kind of records are eligible to be purged, and how to perform Microsoft CA database cleanup.

Microsoft CA database cleanup.

The following items are some of the record types that exist in the certification authority database:

  • Revoked Certificates
  • Issued Certificates
  • Pending Requests
  • Failed Requests

Issued certificates should not be deleted from the CA until they expire, while revoked certificates should not be deleted as they feed the CRL content. CRL or certificate revocation list, is a list maintained by the certification authority, and it provides the list of revoked certificates to digital certificate consumers, so that they can perform revocation tests before accepting the presented certificate.

Saying that, you can delete expired certificates [issued certificates that exist beyond their validity period] without any side effect.

The two record types that you can delete any time are:

  1. Issued and expired certificates.
  2. Revoked and expired certificates.

In addition, denied and pending requests can be deleted. Those are just certificate requests, and no issued certificates are associated with them.

How to perform the deletion ?

This is done using the certutil command line along with the deleterow parameter. You need to specify the type of the records to be deleted according to the below table

Microsoft CA database cleanup 1

For example, if you want to delete all failed and pending requests submitted by January 22, 2010, the command is:

Certutil -deleterow 1/22/2010 Request

[date in mm/dd/yyyy format]
Note: The only problem with this approach is that certutil.exe will only delete about 2,000 – 3,000 records at a time before failing due to exhaustion of the version store.

Extra Reading