Microsoft Certification Authority Cleanup
13 April 2020Cleaning up the Microsoft CA database is something that most administrators forget to do or don’t want to do.
The CA database contains a record of issued certificates and all pending and failed requests. Revoked certificates are also kept in the database, so that a certificate revocation list or certificate revocation list can be generated on a regular basis.
Issued certificates should not be deleted from the CA until they expire, while revoked certificates should not be deleted because they feed the contents of the certificate revocation list.
The certificate revocation list is a list maintained by the certification authority and provides the list of revoked certificates to consumers of digital certificates, so that they can perform revocation tests before accepting the presented certificate.
You can delete expired certificates that exist beyond their validity period without any side effects.
The two types of records that you can delete at any time are:
- Certificates issued and expired.
- Revoked and expired certificates.
In addition, refused and pending requests can be deleted. They are only requests for certificates, and no issued certificate is associated with them.
How do I delete?
This is done using the certutil command line with the deleterow parameter. You must specify the type of records to delete according to the table below
| Name | Description | Type |
|---|---|---|
| Request | Failled and prending requests | Submission date |
| Cert | Expired and revoked certificates | Expiration date |
| Ext | Extension table | N/A |
| Attrib | Attribute table | N/A |
| CRL | CRL Table | Expiration date |
For example, if you want to delete all failed and pending requests submitted before April 01, 2020, the command is:
Certutil -deleterow 4/01/2020 request
[date in mm / dd / yyyy format]
Visits: 11622
