It can grow quite large, depending on the number of issued certificates of course, but still to keep it as clean and clear as possible works a lot quicker and reduces the chance of errors.
So to clean the CA database we use Certutil.
Clean up the Failed and Pending requests from before 31 January 2016:
Certutil -Deleterow 31/12/2022 Request
Or for an English timezone:
Certutil -Deleterow 12/31/2022 Request
Mind the date notation, this might be different on your system, since i'm in the Netherlands the notation is dd/mm/yyyy, for US it's mm/dd/yyyy.
Clean up the Expired and revoked certificates from before 31 January 2016
Certutil -Deleterow 31/12/2016 Cert
This may take some time as it goes thru all certificates and adds them to the CRL.
Certutil.exe will only delete about 2,000 - 3,000 records at a time before failing due to exhaustion of the version store. This can be solved, wrap this command in a simple batch file (as shown below) that runs the command over and over until all the designated records have been removed.
@echo off
:Top
Certutil -deleterow 31/12/2023 Request
if %ERRORLEVEL% EQU -939523027 goto Top
Or for the Certificates:
@echo off
:Top
Certutil -deleterow 31/12/2023 Cert
if %ERRORLEVEL% EQU -939523027 goto Top
:Top
Certutil -deleterow 31/12/2023 Cert
if %ERRORLEVEL% EQU -939523027 goto Top
No comments:
Post a Comment