PKI – Certificate Services CA Backup RPO

My recommendation for CA backup strategy is :

  • For online CAs, full backups of the CA database should be taken beside a full back of system state.
  • For offline root CA , Full backup should be taken each time the offline CA is accesses (Publishing new CRL, renew CA certificate ,issue new certificates)


Note If you restore the previous night’s full backup, the CA is not aware of any certificates issued between recovery time and backup time if the log file directory is unavailable. The certificates issued in this time frame are valid.

The caveat is that you cannot revoke these certificates, as they do not appear in the Certification Authority console. Microsoft has implemented a custom exit module in Certificate Services to allow real-time, centralized logging of all CA transactions to a Microsoft SQL Server database. The information stored in this database allows certificates not included in the CA database due to restoration of the CA database to be identified, allowing the certificate to be revoked.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s