Apparently we can achieve CA backup through two methods: Windows server backups and manual Backup using the Certification Authority console or certutil.exe, let’s call Certification Authority console and certutil.exe Manual Backup.
What will cover here:
1. Performing Manual Backups
2. Restoring Manual Backups
3. What’s next
Before we start, I would like to give you some background. Recently I tried to put my offline Root CA to domain and reuse this VM for my lab testing, but found out I couldn’t do it because AD CS role installed. So I did this Certification Authority Backup and restore, backup and remove AD CS role, so I can put the machine to AD and then restore offline Root CA, tested the online issue CA works exactly like nothing happened.
The following paragraph was quoted from “ Windows Server 2008 PKI and Certificate Security” by Brian Komar.
Performing Manual Backups
Manual backups can be performed from either the Certification Authority console or the command line by using the certutil.exe command.
Using the Certification Authority Console
Use the following procedure to perform the backup:
1. From the Start menu, point to Administrative Tools, and then click Certification Authority.
2. In the console tree, ensure that Certificate Services is running.
3. In the console tree, right-click CAName, point to All Tasks, and then click Backup CA.
4. On the Welcome To The Certification Authority Backup Wizard page, click Next.
5. On the Items To Backup page, input the following options:
Ø Private Key And CA Certificate Includes the CA’s certificate and private key(s) in the backup set. Select this check box only if you are using software CSP. If using a hardware CSP, leave this check box cleared.
Ø Certificate Database And Certificate Database Log Always select this check box to ensure that you include the CA database and log files in the backup set.
Ø Perform Incremental Backup This check box is not usually selected. Full backups of the CA database and log files are recommended instead.
Ø Backup To This Location Select a folder on the local file system that does not contain any existing data.
6. If the Certification Authority Backup Wizard dialog box appears, click OK to create the location designated on the Items To Backup page.
7. If you choose to back up the private key and CA certificate, open the Select A Password page, type and confirm a password to protect the PKCS #12 file generated by the backup procedure, and then click Next.
8. On the Completing The Certification Authority Backup Wizard page, click Finish.
*.p12 file the PKCS #12 backup of the CA’s certificate and private key |
Certutil Commands
1. Open a command prompt.
2. At the command prompt, type net start certsvc to ensure that Certificate Services is running.
3. Create a folder that will contain the results of the manual backup of the CA database—for example, C:\CABackup.
4. At the command prompt, type certutil –backup C:\CABackup –p password, and then press Enter.
5. At the command prompt, at the Enter New Password prompt, type a complex password,
6. At the command prompt, at the Confirm New Password Prompt, type the same password again, and then press Enter.
7. When the backup is complete, ensure there are no error messages, and then close the command prompt.
To back up only the CA database, a backup operator can use the –backupdb option, At the command prompt, type certutil –backupdb C:\CABackup. to back up only the CA’s key pair, you can use the -backupkey option to back up the CA’s private key and public key to a PKCS #12 file. certutil –backupkey C:\CABackup |
Restoring a Manual Backup
Before you do the restore, make sure all the backup you previously did are available to the CA.
Reinstalling Certificate Serveices
1. On the Set Up Private Key page, click Use Existing Private Key, select the Select A Certificate And Use Its Associated Private Key check box.
The cryptographic service provider (CSP) is automatically set to the CSP used to generate the existing private key |
2. On the Configure Certificate Database page, set the storage locations to the same database and log locations used by the original CA (same drive letters).
Restoring Manual Backups
A manual backup, whether it was created with certutil or the Certification Authority console, can be restored by using the Certification Authority console, using the following procedure:
1. From the Start menu, point to Administrative Tools, and then click Certification Authority.
2. In the console tree, click CAName.
3. In the console tree, right-click CAName, point to All Tasks, and then click Restore CA.
4. In the Certification Authority Restore Wizard, click OK to stop Certificate Services during the restore procedure.
5. On the Welcome To The Certification Authority Restore Wizard page, click Next.
6. On the Items To Restore page, select the Certificate Database And Certificate Database Log check box. If required, select the Certificate Key and CA Certificate check boxes, and then click Browse.
7. In the Browse For Folder dialog box, select the folder that contains the manual backup files, and then click OK.
8. On the Items To Restore page, click Next.
9. On the Completing The Certification Authority Restore Wizard, click Finish.
10. In the Certification Authority Restore Wizard dialog box, click Yes.
11. Verify that Certificate Services starts successfully.
What is the next
Import the CRL file to online CA, restarted the AD CS service, the services started. So everything goes back to normal.
My question here is, I always manually copy the CRL file from the offline server to online CA and run certutil -addstore -f Root "*.crl" command, is there a easy way to do this?
