Q: How can I back up my Windows Certification Authority (CA) to protect it and its configuration data from accidental loss due to hardware or storage media failure?

A: To back up your CA, you can use a system state backup or a manual backup. A system state backup should be used when you want to restore the CA to the same hardware. A manual CA backup is the preferred option if you want to restore your CA to a different hardware platform.

A system state backup backs up the entire CA and its configuration. If the private key is stored on the CA instead of on a Hardware Security Module (HSM), a system state backup backs up the private key as well. If the private key is stored on an HSM, you must use the HSM-specific procedures as provided by the HSM vendor for key backup.

To perform a system state backup, you can use the backup utilities that come with the Windows Server platform: NTBackup in Windows 2000 and Windows Server 2003 and Windows Server Backup in Windows Server 2008.

To do a system state backup in Windows Server 2008, for example, you must first make sure the Windows Server Backup utility is installed. Windows Server Backup is a feature that must be explicitly installed on your server, which you can do by using the Server Manager's Add Features option. To schedule a backup with Windows Server Backup, click Backup Schedule in the Actions section of the tool to start the Backup Schedule Wizard. Then on the Select Backup Configuration page, select Custom, and click Next. On the Select Items for Backup page, click the Add Items button, then select System State on the next dialog box.

Microsoft also provides two CA-specific backup-restore utilities that you can use to perform a manual backup of your CA. The first utility is the Certification Authority Backup Wizard, and it's available from the Microsoft Management Console (MMC) Certification Authority snap-in. The second utility is certutil.exe, which you can access from the command prompt. The certutil switches for CA backup and restore and their meanings are explained in Table 1. For more information, type certutil /? at the command line.

Remember that a manual CA backup is the preferred option if you want to restore your CA on a different hardware platform. Also keep in mind that this procedure won't back up the CA private key if it's stored on an HSM.

To start the Certification Authority Backup Wizard, open the Certification Authority MMC snap-in, right-click your CA object, then from the Action menu, point to All Tasks and click Back Up CA. You must be a CA administrator or a member of the Backup Operators group to start the wizard.

As Figure 1 shows, the Certification Authority Backup Wizard can backup and restore the CA database, the CA database log files, and the CA private key and certificate (if not on an HSM).

Figure 1: The Certification Authority Backup Wizard

Before starting the CA-specific backup utility, make sure you've prepared a separate backup medium or at least a separate folder that's different from the CA configuration folder on the CA server. Also, the CA backup will fail if the backup folder you use isn't empty. The CA database can be backed up incrementally. An incremental backup can be saved to the same location as a full backup. When doing a CA database restore from a full backup and a set of incremental backups, make sure that you never restart the CA service if all incremental backups haven't been restored. If you do so, you'll lose all the changes starting from the last incremental backup that was restored.

When you do a manual backup of your CA, you must also manually backup the CA configuration in the Windows registry. To do so, launch regedit and navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration registry subkey. Click Export to export the subkey and its configuration to a .reg file. You can get the same results from the command line using the reg.exe utility as follows:
reg export "HKLM\System\CurrentControlSet\Services\CertSvc\Configuration" caconfig.reg
Manual CA backup and restore is also explained in great detail in the Microsoft Technet article "How to move a certification authority to another server."
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.