Problem
How to properly backup a Windows Certificate Authority to truncate log files and reclaim disk space without deleting database logs.
Yesterday we had an issue where our certificate server stopped responding. The OS was responsive, however the CA stopped servicing requests and there were a fair amount of errors in the Application log.
When we looked in the directory we found log files that were consuming massive amounts of disk space. People that are familiar with Exchange recognize that ESENT is a Jet database. The log files and the edb.log and edb.chk files also look really familiar.
The problem was that we had 7GB of log files filling up this drive and the certificate services couldn’t write the log files due to a lack of free space. Doing a simple search showed a fair amount of results explaining how to stop the services and delete the log files, however this didn’t seem like the correct course of action since this is a database.
Why Not Just Delete?
There is no way I would just delete the log files for my Exchange server so why would I do it for my certificate server? I would backup my Exchange server and that would truncate all my log files.
Solution
Another search on “Backup certutil” sent me to TechNet and the article explaining how to backup my certificate authority.
The Command
certutil –p P@ssw0rd –backup D:\CertBackup
This command performs a full backup of the database and truncates the log files, thus returning all the used drive space.
What it Creates
This creates the directory “CertBackup” on the D drive if it doesn’t exist and populates it with:
- A certificate file “ServerName.p12”
- A directory called “DataBase” with the actual edb file and a dat file
Result
After the backup completes all the log files will be truncated and the services, if stopped, can be restarted. We will be running this periodically to make sure we don’t have this problem again.
Scripting Considerations
One issue with the scripted approach is that it will not overwrite the previous backup so you must delete or rename the previous one or create a new path for each backup which isn’t hard if you are a Scripting Guy.
This approach treats the Certificate Authority database with the same respect as any other critical database system, ensuring proper backup and log management practices.