Share via

certutil -deleterow cert (2 weeks running and nothing?)

Glen Harrison 6 Reputation points
2020-08-06T10:24:31.397+00:00

Hi everyone,

My CA database has not been maintained in years, and there's 4 million certificates in the database. I've been running certutil -deleterow 01/07/2020 cert for the past two weeks, but I'm not sure it's actually doing anything.

How can I check the progress?

Thanks

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,850 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fan Fan 15,341 Reputation points Microsoft Vendor
    2020-08-07T01:10:20.103+00:00

    Hi,
    Based on my research,when we remove the expired certificates ,Certutil -deleterow expired date cert,t
    he only problem with this approach is that certutil.exe will only delete about 2,000 - 3,000 records at a time before failing due to exhaustion of the version store. Luckily, we can wrap this command in a simple batch file that runs the command over and over until all the designated records have been removed.

    16242-8075.jpg
    More details for your reference:
    https://learn.microsoft.com/en-us/archive/blogs/askds/the-case-of-the-enormous-ca-database
    And you can find Certificates that are About to Expire using PowerShell command before and after running the delete command to confirm if the expired certificates changed.
    https://devblogs.microsoft.com/scripting/use-powershell-to-find-certificates-that-are-about-to-expire/
    Best Regards,

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.