Cleaning up a bloated CA
Using this method I was able to reduce a massive and poorly configured CA from 1.6GB right down to 108MB. The process took about 30 minutes. And 4 weeks to get approval.
Before you start
- Backup your CA
Get the OID of all published certifcates
- It's a good idea to know the OID of all the certificate templates published in your CA. It should be noted that the OID for the standard templates is their name i.e. "user". Unfortunatley most of your certificate templates will no doubt be custom templates and so have a nice OID similar to "184.108.40.206.4.1.3220.127.116.1119805.2707949.10374545.1112108.15908497.246.7506132.8196480". So to get these OIDs
If you have Powershell available run
Certutil –catemplates –v | select-string displayname,msPKI-Cert-Template-OID
If not oh dear.. all is not lost we can get them by exporting. There may be better ways but this is what works for me. This requires a certain ammount of tidying up but will give you a line in alltemplates.txt for each certificate or request in your CA. You'll then need to remove duplicates and generally clean up the bumph. Top Tip Excel delimiting the result by " is useful.
certutil -view | findstr -i template= > alltemplates.txt
Exporting certificate details
Filtering the Certificates Returned
- You can use the -restrict option to restrict which certificate details get exported e.g. remember standard templates OID is their name
certutil -view -restrict “certificate template=user”
Some further examples
certutil -view -restrict “certificate template=18.104.22.168.4.1.322.214.171.12419805.2707949.10374545.1112108.15908497.246.12570639.12467311″
You may find it useful to restrict the above commands further using the disposition attribute. Below are their values and their descriptions:
- 20 certificate was issued
- 21 certificate is revoked
- 30 certificate request failed
- 31 certificate request is denied
So to only retrieve details of failed requests for certificates created from the user template we could run
certutil -view -restrict “certificate template=user,disposition=30”
However in my experience most failures are actually denied (usually because some numpty has misconfigured the template) so we're probably better off using:
certutil -view -restrict “certificate template=user,disposition=31”
Filtering the attributes returned
So this is all well and good but were still getting way to much data to be useful. If you look at the top section of one of the previous commands you will see all the values that you can use to both filter the certificates returned (as above) or to restrict the attributes retuned using the -out option.
So the below will considerably reduce the ammount of data that gets returned.
certutil -view -restrict “certificate template=user″ -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition
To discover all the attributes view the output of a command omitting the -out option.
This is the process that I used.
- Use one of the methods above to obtain the published templates OIDs.
Export the all successfully issued certificates limiting the attributes returned to the template id. I then use findstr to remove other lines.
certutil -view -restrict “disposition=20” -out "Certificate Template" | findstr -i template= > allissued.txt
Next is use excel to manipulate the text file. Delimit the file when you import it by ". Remove the useless first column. Then remove duplicate lines. This should leave you with only the templates that have successfully issued certificates. You can un-issue (delete) any issued templates not in your list.
This method doesn't cover any failed to issue request or pending requests but in my example we don't care because they're exactly the reason why our CA was in such a mess.
Delete records from the CA DB
To delete all failed and pending requests up to Valentines day 2013 use
Certutil –deleterow 14/02/2013 Request
To delete ‘all’ certificates expired by Valentines day 2013 use
Certutil –deleterow 14/02/2013 Cert
Certutil has a built in limit in the number of records it will delete in one run (around 1770 in my experience). If you have a large number of records you can use a simple cmd file to make life easier.
@echo off :Top Certutil -deleterow 8/31/2010 Request If %ERRORLEVEL% EQU -939523027 goto Top
For a more targeted approach you can use the request id. Assuming teh request ID you want to delete is 8008
certutil -deleterow 8008
Defrag the CA DB
You will need at least as much free space on the partition your Db file lives on as the size of the DB. Make sure you take another backup here.
If you don't know where your DB is located you can use.
- Stop the ‘Certificate Services’ service and disable it. (Active Directory Certificate services from services.msc) then run the following command
- esentutl /d c:\windows\system32\CertLog\YourCA.edb.