This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi everyone,
My CA database has not been maintained in years, and there's 4 million certificates in the database. I've been running certutil -deleterow 01/07/2020 cert for the past two weeks, but I'm not sure it's actually doing anything.
How can I check the progress?
Thanks
what is your goal?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
The CA MMC shows 4.4 million certs, 90% which have expired. I thought it best practice to maintain the DB.
Hi,
Based on my research,when we remove the expired certificates ,Certutil -deleterow expired date cert,t
he only problem with this approach is that certutil.exe will only delete about 2,000 - 3,000 records at a time before failing due to exhaustion of the version store. Luckily, we can wrap this command in a simple batch file that runs the command over and over until all the designated records have been removed.
More details for your reference:
https://video2.skills-academy.com/en-us/archive/blogs/askds/the-case-of-the-enormous-ca-database
And you can find Certificates that are About to Expire using PowerShell command before and after running the delete command to confirm if the expired certificates changed.
https://devblogs.microsoft.com/scripting/use-powershell-to-find-certificates-that-are-about-to-expire/
Best Regards,
Thanks, however the command has not errored in over two weeks. We are now into week 3 and it's still running.
Hi,
If the running command fails to complete your goal,he methods mentioned above worth a try.
Best Regards,