ENTERPRISE This is an EJBCA Enterprise feature.
The database maintenance service enables automated cleanup of expired certificates from the database by periodically polling the database and clearing up old certificates and Certificate Revocation Lists (CRLs).
During the certificate lifecycle, certificates may:
- Naturally expire
- Be intentionally revoked. In this case, the certificate is included in the next CRL.
Depending on your environment, the database can increase substantially in size over time, and as expired certificates are not included in CRLs by default, there is usually no reason to keep them.
The service performs cleanup under the following conditions:
- expireDate < (Today - delayTime)
An audit log follows every deletion and each audit log entry contains both the certificate serial number and the CA ID.
The following fields can be configured:
|CAs to Check
|Indicates CAs whose certificates and CRLs need to be cleared up.
|Delay After Expiration
|The delay after expiration. Indicates which time period to keep certificates or CRLs in the system once they have expired.
|Delete Expired Certificates
|Indicates whether expired certificates should be removed.
|Delete Expired CRLs
|Indicates whether to delete expired CRLs.
|Entries to delete per run
|The maximum number of expired certificates to query for at a time. If there are more expired certificates, then the service will perform multiple iterations when it runs.
Only users with the /services/database_maintenance/ access rule can view and configure the database maintenance service. By default, only the Super Administrator role has this access. For more information, see Access Rules.
Since the worker is resource-consuming, especially from a database perspective, a
certificatedata_idx_exp index is introduced to improve a selected query's performance.
Create the index before using the worker by running a command according to the following example:
CREATE INDEX certificatedata_idx_exp ON CertificateData (expireDate);