We're headed to GridSecCon 2024, October 22-25 in Minneapolis, MN! Learn more here

PowerShell PKI Module Documentation

Documentation Home

Remove-AdcsDatabaseRow

Synopsis

Removes CA database rows individually or in a bulk based on removal filter.

Syntax

Remove-AdcsDatabaseRow -Request <Object> [<CommonParameters>]

Remove-AdcsDatabaseRow -CertificationAuthority <CertificateAuthority[]> [-Filter <String> {ExpiredCerts | ExpiredFailedPending | Request | CRL} ] -RemoveBefore <DateTime> [<CommonParameters>]

Description

Removes CA database rows individually or in a bulk based on removal filter. This command is mainly used to reduce CA database size by removing old and unnecessary database rows.

Hint: when you remove large number of database rows, it is recommended to perform a full CA database backup and restore to efficiently re-allocate disk space and update database log files.

Parameters

-Request <Object>

Specifies the request row object to remove from database.

Note: removal for database row objects that represent 'Attribute' or 'Extension' table is not supported. When database row from 'Request' table is removed, corresponding entries in 'Attribute' and 'Extension' tables are removed by CA server internally.

Required? True
Position? named
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Filter <String>

Specifies the filter that is used to determine the type of database rows to be deleted. This parameter works in conjunction with 'RemoveBefore' and 'CertificationAuthority' parameters. The following filters are available:
ExpiredCerts — removes issued and revoked certificates that expired (based on NotAfter field value) before the date specified in the 'RemoveBefore' parameter.
ExpiredFailedPending — removes issued and revoked certificates that were last modified before the date specified in the 'RemoveBefore' parameter.
Request — combines previous two filters.
CRL — removes published CRLs that expired (base on NextPublish field value) before the date specified in the 'RemoveBefore' parameter.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-CertificationAuthority <CertificateAuthority[]>

Specifies the certification authority to process. This parameter works in conjunction with 'Filter' and 'RemoveBefore' parameters.

Required? True
Position? named
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-RemoveBefore <DateTime>

Specifies an expiration date when deleting certificates or CRLs, and a last modified date when deleting certificate requests. This parameter has no effect when you pass individual row objects.

Warning: if this parameter is not set, the command will remove all database rows specified by a filter! Think twice!

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow


PKI.CertificateServices.CertificateAuthority

Outputs

SysadminsLV.PKI.Utils.IServiceOperationResult

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 15,63,112 | Remove-AdcsDatabaseRow

In this example, pending requests with RequestID equals to 15, 63 and 112 will be removed from CA database.

Example 2

PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-FailedRequest | Remove-AdcsDatabaseRow

This command will remove all failed request. Other request types and tables will be untouched.

Example 3

PS C:\> Get-CertificationAuthority "ca01.company.com" | Remove-AdcsDatabaseRow -Filter "Request" -RemoveBefore $((Get-Date).AddYears(-1))
PS C:\> Get-CertificationAuthority "ca01.company.com" | Remove-AdcsDatabaseRow -Filter "CRL" -RemoveBefore $((Get-Date).AddYears(-1))

In this example, two commands are used to perform a full CA database cleanup. All certificate reuqests and CRLs that expired (or last modified for pending and failed requests) one year ago.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-RevokedRequest
Get-IssuedRequest
Get-PendingRequest
Get-FailedRequest
Get-AdcsDatabaseRow

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions