AD CS – PKI – Maintenance
Here are the commands to clenaup a Microsoft Certificate Authority. It doesn’t do it by itself. This is a good thing, if you’re using some Key Archival-tech. But I’ve only ever used it for Always on VPN or Wi-Fi-access, so I don’t care if the expired certificates get cleaned up. Now you’re warned 🙂
This can take a LONG time, if you’ve never done it before – I recommend doing it in batches. First, find out how old your earliest expired certificate is. (CA -> Issued Certificates -> Order by Certificate Expiration Date).
Commands (dateformat is Danish): certutil -backupdb c:\madsd\temp certutil -deleterow d/m/yyyy cert certutil -deleterow d/m/yyyy request certutil -databaselocations net stop certsvc esentutl /d "edb-filepath" net start certsvc
-backupdb
I hope this doesn’t require explanation – otherwise, find another occupation 🙂 And also, maybe read up on certutil -restore so you’re prepared if something fails. (I guess a snapshot of a VM will suffice – I usually shut it down first if, before the snapshot).
-deleterow d/m/yyyy cert
this one deletes all certificates that are expired or revoked up to the given date. I recommend doing this in batches if there are many expires certificates since it can take a long time. 1000 certificates takes around 10-30 seconds on my old 2008 PKI (yes, 2008, sigh).
TIP: Never exceed yesterdays date in your cleanup or you risk deleting valid certificates and ending up with downtime for services that depend on your PKI.
-deleterow d/m/yyyy request
this one deletes all lingering requests (pending and failed) according to the submission date
-databaselocations
this one shows the path to the ca-database which can be used in the esentutl defragmentation command
esentutil /d “edb-filepath”
This one defragments the .edb-file and compacts it. If you have diskspace enough, there’s no need to do this, since the CA will just use the whitespace. Remember we stopped the certsvc-service, this means that while esentutil runs, the CA is down.
Tags:
MSCA, Certificate Authority, Root CA, Issuing CA, CA, MS CA, Enterprise CA, ADCS, AD CS, Active Directory Certificate Services