Certification authority database

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certification authority database

When you install a certification authority (CA), you create a certification authority database on the server. This database should be located on an NTFS file system partition on the server's disk drives to provide the best security possible for the database file. You specify the locations for the database during the setup of a CA. By default, the database is located in:

systemroot\system32\certlog

The name of the database file is based on the name of the CA, with an .edb extension.

The Certification Authority MMC console provides a view into the certification authority database on a CA and the ability to administer the database.

A certification authority database stores:

  • Every certificate issued by the CA.

  • Every private key archived by the CA.

  • Every certificate revoked by the CA.

  • Every certificate request received by the CA, regardless of the disposition.

You also specify the location of the certificate database log during Certificate Services setup. The certificate database log keeps a record of every transaction involving the certificate database. Certificate database logs are used when restoring the CA from a backup. If a CA is restored from a backup that is one month old, then the certification database logs that have been generated since the last backup can be replayed against the database to restore it to its most current state. When you back up a certification authority, the existing certificate database logs will be truncated in size, because they will no longer be needed to restore the certificate database to its most current state.

For more information about CA backup and restore, see Backing up and restoring a certification authority.