none
CA Maintenance

    Question

  • Hi Guys,

    I'm doing a maintenace on our neglected CA which has been running ftom 2005. It has around 250k requests and 20k issued certificates meaning around 230k denied requests. I want to delete as much denied requests as possible and also very old expired certificates using the certutil tool. Looking around I found some good articles describing its usage and I just want to confirm with you guys before doing a CA pudding.

    • Is it OK if I remove all failed/pending requests before February 2012 using 'certutil -deleterow 1/3/2012 Request'
    • Can I remove expired certs, and if so, will this work 'certutil -deleterow 1/1/2010 Cert'
    • Remove old CRLs using 'certutil -deleterow 1/1/2012'
    • Can someone explain what are the Ext and Attrib options in the certutil -deleterow

    Any help on this is very much appreciated.

    Thanks!

    Friday, March 09, 2012 4:56 PM

Answers

  • 2) yes. And you can configure CA server to not include expired certificates in CRL.

    4) This table contains only extensions that are included in the request and optional attributes. Row information is associated with Cert table. When you submit/issue new certificate, a new row is created in Cert table and Attributes/Extensions table.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Marked as answer by Bruce-Liu Thursday, March 15, 2012 11:01 AM
    Sunday, March 11, 2012 8:07 PM
  • Hi,

    I got all the expired certificates' RequestIDs and looped 'certutil -deleterow' into a foreach-object powershell cmdlet and voila all expired certificates are gone and (seems that) no damage was done.

    Thanks.

    • Marked as answer by meimnot Tuesday, April 03, 2012 7:17 AM
    Tuesday, April 03, 2012 7:17 AM

All replies

  • Hi Vadims,

    actually I'm basing my post on that excellent blog, I just need some more insight on my second and fourth points because they are not really explained and I can't seem to find much information on the certutil tool.

    Thanks.

    Friday, March 09, 2012 8:00 PM
  • 2) yes. And you can configure CA server to not include expired certificates in CRL.

    4) This table contains only extensions that are included in the request and optional attributes. Row information is associated with Cert table. When you submit/issue new certificate, a new row is created in Cert table and Attributes/Extensions table.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Marked as answer by Bruce-Liu Thursday, March 15, 2012 11:01 AM
    Sunday, March 11, 2012 8:07 PM
  • Thanks for your help Vadims. I'll remove as much requests and expired certificates as possible and remove the DB whitespace after all is done.
    Monday, March 12, 2012 9:16 AM
  • Hello again,

    So CA maintenance went extremely well (DB down to 70MB from 1.7GB). I still have a tiny problem though...expired user certificates are not being deleted with the certutil -deleterow 1/1/2012 cert command. I'm suspecting this is something to do with some private key archival. I have managed to delete a couple using certutil -deleterow 306 (using the RequestID), but is this the way it should be done? Why are the user certificates not being deleted like all the others using the certutil -deleterow 1/1/2012 cert command?

    Any help is much appreciated. Thanks.

    Monday, April 02, 2012 9:23 AM
  • Hi,

    I got all the expired certificates' RequestIDs and looped 'certutil -deleterow' into a foreach-object powershell cmdlet and voila all expired certificates are gone and (seems that) no damage was done.

    Thanks.

    • Marked as answer by meimnot Tuesday, April 03, 2012 7:17 AM
    Tuesday, April 03, 2012 7:17 AM
  • Can someone please confirm the correct syntax to remove a revoked certificate by RequestID is:

    certutil -deleterow 108

    Where "108" is the request ID.  The confusion is not understanding how the command differentiates between a RowID and RequestID.  Thanks!


    Recruiting Consultants and Trainers

    Thursday, December 12, 2013 4:48 PM
  • RowID = RequestID

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Thursday, December 12, 2013 7:09 PM