Skip navigation

Q. Is there an easy way to clean the database of a Windows Certification Authority (CA)? I'd like to remove expired certificate entries from the database.

A. You can clean up certificate records manually using the certutil.exe command line utility that's bundled with the Windows OS. To do so, you must first log on with administrator privileges. Then open a command prompt, and use certutil with the -deleterow switch. You can use the certutil tool to delete both certificate entries and certificate request and CRL entries from the CA database. To get more information on the -deleterow certutil option, use the following at the command line:

Certutil –deleterow /?

 The Windows CA database is based on JET, the Microsoft database engine that's used in many other Microsoft products, including Access, SQL Server, and Exchange. This means you can also defragment the CA database using standard JET maintenance tools such as eseutil.exe.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.