PKI – CA Restore

The first step in restoring the CA computer is to ensure that Certificate Services is installed correctly and can be started and stopped. If you have a good backup of Certificate Services, whether the backup is a SystemState backup or a manual backup, you must first re-install Certificate Services using the same certificate and key pair.

To reinstall Certificate Services, ensure that the CA certificate and private key are available to the CA..For a software-based CSP, a local administrator of the computer can import a PKCS #12 into the local machine store. You can verify that the certificate is imported successfully by loading the Certificates MMC console focused on the local computer.

Once the CA certificate and private key are loaded or accessible to the CA, use the following procedure to install Certificate Services, using the previous CA certificate and private key:

  1. From the Start menu, click Control Panel and click Add or Remove Programs.
  2. In the Add or Remove Programs window, click Add/Remove Windows Components. In the Windows Components Wizard, in the Windows Components list, select the Certificate Services check box.
  3. In the Microsoft Certificate Services dialog box, click Yes.
  4. On the Windows Components page, click Next.
  5. On the CA Type page, select the previous role of the CA, enable the Use Custom Settings To Generate the Key Pair and CA Certificate check box, and click Next.
  6. On the Public and Private Key Pair page, set the following options:
    • CSP: The same CSP as used previously
    • Use an existing key: Enabled
    • Select the certificate with the same CA name as the subject
    • Use the certificate associated with this key: Enabled

Note The hash algorithm and key length will automatically populate based on the previous CA certificate.

  1. On the Public and Private Key Pair page, click Next.
  2. On the CA Identifying Information page, verify that the CA’s common name and distinguished name are correct and click Next.
  3. On the Certificate Database Settings page, verify that the database, database log, and, if used, shared folder paths are the same as the original CA. Enable the Preserve Existing Certificate Database check box and click Next.
  4. If the Microsoft Certificate Services dialog box appears, click Yes to temporarily stop IIS. If prompted, insert the Windows Server 2003, Enterprise Edition, CD in the CDROM drive or point to the media installation point on the network and choose the \i386 folder.
  5. On the Completing the Windows Components Wizard page, click Finish. Close the Add or Remove Programs dialog box.
  6. From Administrative Tools, open the Certification Authority console. Attempt to start Certificate Services.

If Certificate Services starts, you can proceed to restoring the last SystemState or manual backup.

Note: The above procedure keep talking about the fact that first thing to do is re-install certificate services  with the exact CA key pair and then perform system state restore or manual restore. The question is  how can I have the CA key pairs in the first place if the only thing I have is the system state backup files.

The answer of this question is the answer of another question: Can I have the private key and public key from a system backup only. Answer is yes. To do this ,go to a workgroup machine ,name it as the same as your CA ,but keep it disconnected from network to avoid name conflict. Restore system state on it, restart the machine and then look at the certificate store, you will find the CA key pair

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s