AD CS – PKI – Maintenance

AD CS – PKI – Maintenance

Posted by on 27. J 2024 in Blog

Here are the commands to clenaup a Microsoft Certificate Authority. It doesn’t do it by itself. This is a good thing, if you’re using some Key Archival-tech. But I’ve only ever used it for Always on VPN or Wi-Fi-access, so I don’t care if the expired certificates get cleaned up. Now you’re warned 🙂

This can take a LONG time, if you’ve never done it before – I recommend doing it in batches. First, find out how old your earliest expired certificate is. (CA -> Issued Certificates -> Order by Certificate Expiration Date).

Commands (dateformat is Danish):
certutil -backupdb c:\madsd\temp
certutil -deleterow d/m/yyyy cert
certutil -deleterow d/m/yyyy request
certutil -databaselocations
net stop certsvc
esentutl /d "edb-filepath"
net start certsvc

I hope this doesn’t require explanation – otherwise, find another occupation 🙂 And also, maybe read up on certutil -restore so you’re prepared if something fails. (I guess a snapshot of a VM will suffice – I usually shut it down first if, before the snapshot).

-deleterow d/m/yyyy cert
this one deletes all certificates that are expired or revoked up to the given date. I recommend doing this in batches if there are many expires certificates since it can take a long time. 1000 certificates takes around 10-30 seconds on my old 2008 PKI (yes, 2008, sigh).

TIP: Never exceed yesterdays date in your cleanup or you risk deleting valid certificates and ending up with downtime for services that depend on your PKI.

-deleterow d/m/yyyy request
this one deletes all lingering requests (pending and failed) according to the submission date

this one shows the path to the ca-database which can be used in the esentutl defragmentation command

esentutil /d “edb-filepath”
This one defragments the .edb-file and compacts it. If you have diskspace enough, there’s no need to do this, since the CA will just use the whitespace. Remember we stopped the certsvc-service, this means that while esentutil runs, the CA is down.


MSCA, Certificate Authority, Root CA, Issuing CA, CA, MS CA, Enterprise CA, ADCS, AD CS, Active Directory Certificate Services