HowTo: Cleanup expired certificates from a Microsoft CA with Powershell and Shrink the DB Part 1 of 2
Thursday, December 18, 2014 10:19 AM
Regularly (depending on number of issued certificates) you have to perform a cleanup of expired certificates from your CA (Certification Authority) DB and then shrink the db to get rid of the “white space”.
You have to perform the following 3 steps in order:
make a backup of your CA DB (protected with a password) to another Server / medium
- this backup also "removes" the maybe hundres of db log files (each of the has a size of 1 MB) – in my case 828
cleanup all expired certificates from all 4 categories with my PowerShell Script
- in a first step it's the best to run the script in a "view only" modus to see which certificates would be deleted
- the script and all the details are explained in the 2nd part of this series! => Klick following link for part 2: Part 2 of 2
Shrink your CA database to get rid of the “whitespace”
- for this you use the esentutl tool with the “/d” (= defragmentation) option
before executing the esentutl command stop the AD Certificate service and disable it
- run the following command with the path to the .edb DB file
- at the end the db - file is more than 100 MB smaller than before!
- at this point you have to enable and start the CA Service again!
The PowerShell Script from the 2nd step to easily cleanup the different expired certificates from the CA DB is explained in the following post:
Further Information about the maintenance of a large CA database:
“The Case of the Enormous CA Database” http://blogs.technet.com/b/askds/archive/2010/08/31/the-case-of-the-enormous-ca-database.aspx