Compacting (defragmenting) the certification authority database

Sometimes it happens that the database of the certification authority becomes extremely large. Perhaps a large number of certificate requests have arrived unnoticed and have been rejected, or perhaps there are many certificates in the database that have been issued twice. After the corresponding entries have been deleted from the Certification Authority database, the space now gained must (can) still be freed by compacting this in the server's file system.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Identification of the location of the certification authority database

By default, the certification authority database is located at C:\Windows\System32\CertLog. If the certificate authority database is located in another location, you can identify it with the following command:

certutil -getreg DB*

Putting the certification authority into maintenance mode

First of all, if you have not already done so, put the Certification Authority into maintenance mode. This prevents the contents of the certification authority database from changing until the maintenance work is completed, and also allows you to restore a backup that was created at the beginning of the work.

Creating a backup of the certification authority database

After that, you should make a backup of the certification authority database. The backup causes that the transaction logs of the database may be transferred to the database file.

certutil -backupdb {path-to-backup-folder}

Exiting the certification authority service

If the certification authority service is now terminated, the transaction logs are transferred to the database file.

This process alone can save a lot of memory.

Compacting the Certification Authority database

Important: The compacting of the database must be done on the live data. It is not possible to compact a backup of the certification authority database and then restore it.

The certificate authority can now be compacted (defragmented) with the following command.

esentutl /d {path to database file}

Now that the compacting of the database file is complete, it should be much smaller than before.

Re-commissioning of the Certification Authority

Afterwards, the certification authority service can be restarted.

A new backup of the compacted database should now be created.

certutil -backupdb {path-to-backup-folder}

Likewise, one should not forget to take the certification authority out of maintenance mode again.

Related links:

en_USEnglish