Remove unwanted CAs and CA Profiles

Randy Best
  • Randy Best

    Randy Best - 2013-08-29

    We use this splendid product in our LAB. I am trying to clean up all unwanted test/exploratory CAs. I revoked/deleted all certs, revoked the CAs etc. How to I vaporize all the unwanted CAs? All attempts with the ADMIN GUI fail.

  • Tomas Gustavsson

    Since the main purpose of a CA is to maintain auditability trace, vaporizing a CA was never meant to be easy. It will not allow you to break references between users, profiles and CAs. I'd say you need to manually clean the database.

    Trying to convert a LAB CA into production is not recommended. You'll be better of testing your proceedures in the lab and re-installing everything in production.


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see or contact for more information.

    • Randy Best

      Randy Best - 2013-09-04

      I am only trying to avoid standing up another LAB/non-production instance, not a production version (I understand that drill) I truly need to vaporize assorted junk CAs. Is there a post that contains "manually clean the database" info, any ordering, linkages that one must be careful of whilst driving MySQL?



  • Tomas Gustavsson

    Check out the database schema at

    CAData holds the CA and certificates and users are linked through issuerDNs and such. We have no guide for such manual cleaning, but usually recommend "drop database; create database" :-)

    You can vaporize the CAs simply by deleting the entries in CAData. This will leave issued certificates etc still in CertificateData, but that will not hurt unless you have very limied space in your database.



Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks