Share via

Operating a Windows PKI: Removing Expired Certificates from the CA Database

Today, I am going to discuss removing expired certificates from the CA database.  Every time a CA issues a certificate it also stores a copy of the issued certificate in the CA database.  Overtime the certificates that the CA issues expire.  Once the certificate expires it is no longer valid.  Therefore, once a certificate expires you can safely remove it from the CA database.  The one exception to this is if have Key Archival configured on the CA.  If you are archiving private keys, you may not want to remove expired CA certificates from the CA database.

Important Note: You should backup the CA including the database and log files prior to deleting any certificates from the database.

Removing expired certificates

Today’s current date is 5/10/2012, and you can see in the screenshot below that I have several issued certificates that are expired.


So, to remove the expired certificates from the CA Database I can run the following command:

certutil –deleterow certs 5/10/2012

As you can see in the screenshot below, 16 rows were deleted.


Now, if I look at the Issued Certificates container in the Certification Authority management console I see that my expired certificates are no longer there.


Note: The certutil command listed above will only delete ~3000 certificates at a time. So, if you have a lot of expired certificates you will have to rerun the command several times.

Delete Pending and Failed Requests

Also, if you want to delete any failed or pending requests that were submitted prior to the current day you can use the following command:

certutil –deleterow <today’s date in mm/dd/yyyy format> request



So, I covered the steps for removing expired certificates from the CA database.  I also covered removing pending and failed requests from the CA database. 

I am looking for a list of topics to cover in future blog postings.  So, if you have a topic you would like me to cover, please submit a comment or contact me at @chdelay on Twitter.