Certificates Database

Applies To: Windows Server 2008

When you install a certification authority (CA), you also need to create a CA database to record:

  • Every certificate issued by the CA.

  • Every private key archived by the CA.

  • Every certificate revoked by the CA.

  • Every certificate request received by the CA, regardless of whether the request is approved, denied, or set to pending.

This database should be located on an NTFS file system partition on the server's disk drives to provide the best security possible for the database file. You specify the locations for the database during the setup of a CA. By default, the database is located in systemroot\system32\certlog.

You also specify the location of the CA database log during Active Directory Certificate Services (AD CS) setup. The CA database log keeps a record of every transaction involving the CA database. CA database logs are used when restoring the CA from a backup. If a CA is restored from a backup that is one month old, then the CA database can be updated with more recent activity recorded in the log to restore the database to its most current state. When you back up a CA, the existing certificate database logs will be truncated in size because they will no longer be needed to restore the certificate database to its most current state.

The name of the database file is based on the name of the CA, with an .edb extension.

The Certification Authority snap-in allows you to view and administer the CA database.

For more information about CA backup and restore, see Protecting a CA from Data Loss.

Additional references