Hi Guys, I'm doing a maintenace on our neglected CA which has been running ftom 2005. It has around 250k requests and 20k issued certificates meaning around 230k denied requests. I want to delete as much denied requests as possible and also very old expired certificates using the certutil tool. Looking around I found some good articles describing its usage and I just want to confirm with you guys before doing a CA pudding. Is it OK if I remove all failed/pending requests before February 2012 using 'certutil -deleterow 1/3/2012 Request'Can I remove expired certs, and if so, will this work 'certutil -deleterow 1/1/2010 Cert'Remove old CRLs using 'certutil -deleterow 1/1/2012'Can someone explain what are the Ext and Attrib options in the certutil -deleterow Any help on this is very much appreciated. Thanks!

I think, this article helps you: http://blogs.technet.com/b/askds/archive/2010/08/31/the-case-of-the-enormous-ca-database.aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims, actually I'm basing my post on that excellent blog, I just need some more insight on my second and fourth points because they are not really explained and I can't seem to find much information on the certutil tool. Thanks.

2) yes. And you can configure CA server to not include expired certificates in CRL. 4) This table contains only extensions that are included in the request and optional attributes. Row information is associated with Cert table. When you submit/issue new certificate, a new row is created in Cert table and Attributes/Extensions table.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

2) yes. And you can configure CA server to not include expired certificates in CRL. 4) This table contains only extensions that are included in the request and optional attributes. Row information is associated with Cert table. When you submit/issue new certificate, a new row is created in Cert table and Attributes/Extensions table.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks for your help Vadims. I'll remove as much requests and expired certificates as possible and remove the DB whitespace after all is done.

Hello again, So CA maintenance went extremely well (DB down to 70MB from 1.7GB). I still have a tiny problem though...expired user certificates are not being deleted with the certutil -deleterow 1/1/2012 cert command. I'm suspecting this is something to do with some private key archival. I have managed to delete a couple using certutil -deleterow 306 (using the RequestID), but is this the way it should be done? Why are the user certificates not being deleted like all the others using the certutil -deleterow 1/1/2012 cert command? Any help is much appreciated. Thanks.

Hi, I got all the expired certificates' RequestIDs and looped 'certutil -deleterow' into a foreach-object powershell cmdlet and voila all expired certificates are gone and (seems that) no damage was done. Thanks.