Certutil -DeleteRow - how does it process ?

Ben Wosjke 136 Reputation points
2024-05-09T05:37:05.57+00:00

Hi all - tag entered as "Active directory" as there does not appear to be a tag for "certificate Authority" or "PKI"

Dealing with a CA for a mid-size company that has not been maintained - there are certs in the DB which expired in 2011 - and the DB is approx 14GB.

I thought i would start off fairly safe, and after taking a backup ran

certutil -deleterow 01/01/2016 request

It has now been running for 7 hours - and since there is no type of progress reported - i have no idea where it is up to.

Is anyone able to tell me how "certutil -DeleteRow" works? i.e. does it work through each record in the ese database and check? or is it a bit smarter using statements to narrow down the fields? just trying to work out if its better to run smaller cleanup's.... or if its going to take the same amount of time, every time (as it checks every row) - just one big cleanup.

Either way, im panicking a bit at the amount of time this is taking.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,977 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 19,031 Reputation points Microsoft Vendor
    2024-05-09T07:51:39.5966667+00:00

    Hello Ben Wosjke,

    Thank you for posting in Q&A forum.

    1.Hi all - tag entered as "Active directory" as there does not appear to be a tag for "certificate Authority" or "PKI"
    A: Yes, you are selecting the correct tag.

    *
    2.certutil -deleterow 01/01/2016 request*
    A: From the example below, your command means it deletes failed and pending requests submitted before January 1, 2016.

    User's image

    3.Is anyone able to tell me how "certutil -DeleteRow" works? i.e. does it work through each record in the ese database and check? or is it a bit smarter using statements to narrow down the fields?

    A: I think it is a bit smarter using statements to narrow down the fields.

    For example:
    In my lab, the first runs fast (takes maybe one second). The second takes 3-4 seconds to run.
    User's image

    4.just trying to work out if its better to run smaller cleanup's.... or if its going to take the same amount of time, every time (as it checks every row) - just one big cleanup.

    A: I think it is better to run smaller cleanups.

    For more information, please refer to link below.

    certutil

    https://learn.microsoft.com/zh-cn/windows-server/administration/windows-commands/certutil

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.