locked
NAP CA Requirements Confusion RRS feed

Answers

  • Hi Jazeel,

    It is 5 minutes by default, but you can customize the interval.

    To configure it, edit the value of hklm\software\microsoft\hcs\CertDBCleanupInterval on the NAP CA. This is the time interval, in seconds, used by HRA to remove expired records from the CA database. The value is expressed in hexadecimal notation, and by default is set to 0x12c, which corresponds to 300 seconds.

    To convert between decimal and hex, use programmer view with the calculator in Windows 7 and type the value you want then click Hex or Dec on the middle left.

    -Greg

    P.S. Below is the procedure copied from http://technet.microsoft.com/en-us/library/cc735452(WS.10).aspx

    To verify that HRA is successfully removing expired records from the CA database:

    1. On the computer where AD CS is installed, click Start, and then click Command Prompt.
    2. In the command window, type reg query hklm\software\microsoft\hcs, and then press ENTER.
    3. In the command output, record the value of CertDBCleanupInterval. This is the time interval, in seconds, used by HRA to remove expired records from the CA database. The value is expressed in hexadecimal notation, and by default is set to 0x12c, which corresponds to 300 seconds.
    4. Click Start, click Run, type certsrv.msc, and then press ENTER.
    5. In the Certification Authority console tree, click Issued Certificates.
    6. In the details pane, under Certificate Expiration Date, verify that no certificates have been expired for longer than the value of CertDBCleanupInterval.

    Friday, November 25, 2011 2:58 PM

All replies

  • Hi,

    The space is due to the fact that a CA will keep a database of all certificate requests. Since a NAP CA issues certificates extremely often, this database can be very large. If the server runs out of disk space, the CA will no longer function - until the database is cleared.

    http://technet.microsoft.com/en-us/library/dd125344(WS.10).aspx

    -Greg

    Thursday, November 24, 2011 12:05 AM
  • hi,

    thanks for your reply, but i am using a CA that is not dedicated for NAP and i have given HRA permission to Manage CA, so it will automatically clear only NAP certificate database or others too?
    Thanks & Regards, Jazeel Ahmed Siddiqui
    Thursday, November 24, 2011 8:09 AM
  • Hi,

    There is only one CA database, so it will clear everything.

    -Greg

    Friday, November 25, 2011 3:30 AM
  • hi,

    OK Greg, but can you tell me what is the time period after which HRA cleared the CA database?


    Thanks & Regards, Jazeel Ahmed Siddiqui
    Friday, November 25, 2011 7:29 AM
  • Hi Jazeel,

    It is 5 minutes by default, but you can customize the interval.

    To configure it, edit the value of hklm\software\microsoft\hcs\CertDBCleanupInterval on the NAP CA. This is the time interval, in seconds, used by HRA to remove expired records from the CA database. The value is expressed in hexadecimal notation, and by default is set to 0x12c, which corresponds to 300 seconds.

    To convert between decimal and hex, use programmer view with the calculator in Windows 7 and type the value you want then click Hex or Dec on the middle left.

    -Greg

    P.S. Below is the procedure copied from http://technet.microsoft.com/en-us/library/cc735452(WS.10).aspx

    To verify that HRA is successfully removing expired records from the CA database:

    1. On the computer where AD CS is installed, click Start, and then click Command Prompt.
    2. In the command window, type reg query hklm\software\microsoft\hcs, and then press ENTER.
    3. In the command output, record the value of CertDBCleanupInterval. This is the time interval, in seconds, used by HRA to remove expired records from the CA database. The value is expressed in hexadecimal notation, and by default is set to 0x12c, which corresponds to 300 seconds.
    4. Click Start, click Run, type certsrv.msc, and then press ENTER.
    5. In the Certification Authority console tree, click Issued Certificates.
    6. In the details pane, under Certificate Expiration Date, verify that no certificates have been expired for longer than the value of CertDBCleanupInterval.

    Friday, November 25, 2011 2:58 PM