none
“certutil -deleterow” not doing anything

    Question

  • I'm trying to cleanup old and failed certificates on my CA using certutil. I'd like to delete all failed requests prior to July 1st, 2014. I'm running the following:

        certutil -v -deleterow 7/1/2014 Request


    This initially worked for a while, but it has stopped doing anything. There are mentions around the internet of the certutil utility exhausting the version store and having to be restarted, but that doesn't appear to be what's happening in my case - it's just not doing anything at all. The output I get now when I start the command is:

        7/1/2014 12:00 AM
        7/1/2014 12:00 AM


    and nothing further.

    I've tried defragging the ca db, doing an integrity check, restarting the service, restarting the server, none of which have had an impact on this stuck condition I'm in. I can manually delete individual rows, so the CA is still responsive to the certutil command, just not this specific one. Can anyone give me an idea as to what I'm missing?
    Thursday, July 24, 2014 7:07 PM

Answers

  • Hi Mark,

    As a workaround, please refer to this batch script:

    @echo off
    
    for /f %%i in ('certutil.exe -view -restrict "Disposition=31,notbefore<8/27/2013" -out Requestid csv ^| find /v "Issued Request ID"') do (
      echo Deleting row ID: %%i
      certutil.exe -deleterow %%i Request
    )

    Disposition 31 is denied request, 30 is failed request. So adjust that as you like. and the date of course.

    A similar disscussion for your reference:

    Certutil -deleterow command doesn't appear to be runninng

    I hope this helps.

    Friday, July 25, 2014 10:06 AM
    Moderator
  • Expired certificates should be caught be setting the restriction so that all issued certificates expiring earlier than today are returned:

    "Disposition=20,notafter<7/25/2014"

    20... indicating status of Issued
    NotAfter... expiry date

    Edit: You cannot OR combine failed and expired certificates - you need to run two separate commands.

    Here is an overview of the available disposition codes and some samples.

    Elke
    Friday, July 25, 2014 8:37 PM

All replies

  • Hi Mark,

    As a workaround, please refer to this batch script:

    @echo off
    
    for /f %%i in ('certutil.exe -view -restrict "Disposition=31,notbefore<8/27/2013" -out Requestid csv ^| find /v "Issued Request ID"') do (
      echo Deleting row ID: %%i
      certutil.exe -deleterow %%i Request
    )

    Disposition 31 is denied request, 30 is failed request. So adjust that as you like. and the date of course.

    A similar disscussion for your reference:

    Certutil -deleterow command doesn't appear to be runninng

    I hope this helps.

    Friday, July 25, 2014 10:06 AM
    Moderator
  • So this works for failed requests - what can I do about expired certificates? There doesn't appear to be a disposition that matches expired certificates, and "certutil -deleterow 7/1/2014 cert" is producing the same issue as request was - it outputs two lines and then does nothing.

    Friday, July 25, 2014 6:02 PM
  • Expired certificates should be caught be setting the restriction so that all issued certificates expiring earlier than today are returned:

    "Disposition=20,notafter<7/25/2014"

    20... indicating status of Issued
    NotAfter... expiry date

    Edit: You cannot OR combine failed and expired certificates - you need to run two separate commands.

    Here is an overview of the available disposition codes and some samples.

    Elke
    Friday, July 25, 2014 8:37 PM