Welcome to SpiderWiki,
There are currently 131 articles.

Cleaning up a bloated CA

From SpiderWiki
Jump to: navigation, search

Using this method I was able to reduce a massive and poorly configured CA from 1.6GB right down to 108MB. The process took about 30 minutes. And 4 weeks to get approval.


Before you start

Backup your CA

Get the OID of all published certifcates

It's a good idea to know the OID of all the certificate templates published in your CA. It should be noted that the OID for the standard templates is their name i.e. "user". Unfortunatley most of your certificate templates will no doubt be custom templates and so have a nice OID similar to "". So to get these OIDs

If you have Powershell available run

 Certutil –catemplates –v | select-string displayname,msPKI-Cert-Template-OID

If not oh dear.. all is not lost we can get them by exporting. There may be better ways but this is what works for me. This requires a certain ammount of tidying up but will give you a line in alltemplates.txt for each certificate or request in your CA. You'll then need to remove duplicates and generally clean up the bumph. Top Tip Excel delimiting the result by " is useful.

certutil -view | findstr -i template= > alltemplates.txt

Exporting certificate details

Filtering the Certificates Returned

You can use the -restrict option to restrict which certificate details get exported e.g. remember standard templates OID is their name
certutil -view -restrict “certificate template=user” 

Some further examples

certutil -view -restrict “certificate template=″

You may find it useful to restrict the above commands further using the disposition attribute. Below are their values and their descriptions:

  • 20 certificate was issued
  • 21 certificate is revoked
  • 30 certificate request failed
  • 31 certificate request is denied

So to only retrieve details of failed requests for certificates created from the user template we could run

certutil -view -restrict “certificate template=user,disposition=30” 

However in my experience most failures are actually denied (usually because some numpty has misconfigured the template) so we're probably better off using:

certutil -view -restrict “certificate template=user,disposition=31” 

Filtering the attributes returned

So this is all well and good but were still getting way to much data to be useful. If you look at the top section of one of the previous commands you will see all the values that you can use to both filter the certificates returned (as above) or to restrict the attributes retuned using the -out option.

So the below will considerably reduce the ammount of data that gets returned.

certutil -view -restrict “certificate template=user″ -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition

To discover all the attributes view the output of a command omitting the -out option.

My Process

This is the process that I used.

Use one of the methods above to obtain the published templates OIDs.

Export the all successfully issued certificates limiting the attributes returned to the template id. I then use findstr to remove other lines.

certutil -view -restrict “disposition=20” -out "Certificate Template" | findstr -i template= > allissued.txt

Next is use excel to manipulate the text file. Delimit the file when you import it by ". Remove the useless first column. Then remove duplicate lines. This should leave you with only the templates that have successfully issued certificates. You can un-issue (delete) any issued templates not in your list.

This method doesn't cover any failed to issue request or pending requests but in my example we don't care because they're exactly the reason why our CA was in such a mess.

Delete records from the CA DB

To delete all failed and pending requests up to Valentines day 2013 use

Certutil –deleterow 14/02/2013 Request

To delete ‘all’ certificates expired by Valentines day 2013 use

Certutil –deleterow 14/02/2013 Cert

Certutil has a built in limit in the number of records it will delete in one run (around 1770 in my experience). If you have a large number of records you can use a simple cmd file to make life easier.

@echo off
Certutil -deleterow 8/31/2010 Request
If %ERRORLEVEL% EQU -939523027 goto Top

For a more targeted approach you can use the request id. Assuming teh request ID you want to delete is 8008

certutil -deleterow 8008

Defrag the CA DB

You will need at least as much free space on the partition your Db file lives on as the size of the DB. Make sure you take another backup here.

If you don't know where your DB is located you can use.

certutil -databaselocations

  • Stop the ‘Certificate Services’ service and disable it. (Active Directory Certificate services from services.msc) then run the following command
  • esentutl /d c:\windows\system32\CertLog\YourCA.edb.

Source Artice