Clean and compact the CA Database

      2 Comments on Clean and compact the CA Database

In this blog I will show how you can clean and compact the CA Database. To regain overview in your CA Infrastructure. Depending on your environment, the CA Database can increase substantially in size over time. In addition, expired certificates remain in the Issued Certificates view.

Pic 1: Example Expired Certificates Database


This can cause you to lose overview. Besides the Issued Certificates, this also applies to Revoked, Pending and Failed Requests. After you clean up the database, you need to compact it. The cleansing process creates white spaces in the database which can be removed by compacting the database.


Backup the CA Database

To clean up the database, we use the command-line program Certutil.exe. This is installed by default when adding the Certificate Services role on the server. Before starting, it is important to make a backup so that it is possible to restore the CA database.

Certutil -backupDB <backupDirectory>

To create a backup in the folder “C:\temp” you will need to create the folder “c:\temp” and enter:

 Certutil -backupDB c:\temp


Remove the Expired and revoked certificates

Now that we have a backup of the CA database, we can start cleaning up the records. As with the backup, we will use Certutil.exe. To remove Expired and Revoked certificates, we specify the date until which they should be removed. For example, if you want all certificates expired and revoked through 01-01-2023, then enter 01-01-2023. Certificates expired or revoked on 02-01-2023 will remain in the database. In this example I will remove all certificate which are expired or revoked on 01-01-2023. To indicate that you want to remove expired and revoked certificates enter “cert“.

certutil -deleterow 01/01/2023 cert

This action has removed 10 rows

On my demo server there are only some expired Issued Certificates. As you can see in the screenshot, all certificates that expired on or before 01-01-2023 have been removed.

Since I don’t have revoked certificates I can’t show this, but the same goes for revoked certificates.


Remove the Pending and failed requests

Now that the expired and revoked certificates have been removed we continue with the pending and failed requests. As with the previous work we use Certutil.exe. Unlike the expired and revoked certificates, the pending and failed requests require you to enter the submission date. If you want to remove pending and failed requests created up to and including January 1, 2023, enter 01/01/2023. To indicate that you want to remove failed and pending requests enter “request“.

certutil -deleterow 01/01/2023 request

Since I don’t have pending and failed requests I can’t show this. As you can see in the screenshot, no rows have been deleted.


Compact the CA Database

Now that we are almost at the end, we need to perform one more step and that is to extract the white spaces (defragmentation) from the database. To do this we use Esentutl. First we need to find out the path to the database. By default, the database is located in the folder “C:WindowsSystem32CertLog”. The database has the extension “*.edb”. In my demo environment, the database is called “ditcompany-CA-SUB-02-CA.edb”.


To remove the white spaces we are going to defragment the database. We do that with the command below:

Esentutl /d "<database path>"

But before defragmenting the database, you must first stop the service. Keep in mind that because you stop the service, certificates cannot be temporarily issued either.


Now you can run the defragmenter by using esentutl /d.


After defragmenting is done successfully, you can restart the CA service.


Because I performed the work in a demo environment with only 10 certificates deleted, the results are not that great. Only 128 KB were freed. If you have an environment with thousands of certificates then you can imagine that the result is much bigger.




2 thoughts on “Clean and compact the CA Database

  1. Robert

    Can I safely delete computer(Machine) , Domain Controller and User -Wireless – EAP-TLS expired certs? sorry, I am newer to CA. Can you recommend a good learning source for CA admin?


Leave a Reply

Your email address will not be published. Required fields are marked *