PKI – Certificate Authority CA Backup

One of the important things you need to do is to backup your certificate authority servers. In this post, i will give you some of my best practices about how to backup a CA that i came up from my experience.

1. System State Backup (Full backup ,not differential)

This is the preferred method of backup up a CA. It includes the following components related to CA services:

  • CA database: includes information about any certificate issued or revoked.
  • CA key Pair: The backup should include all versions of the CA certificates in case of CA certificate renewal.
  • IIS metabase: important if changes are made to the Certificate services web enrollment pages.
  • Registry settings: CA settings.

2. Manual Backup

Can backup only (CA Database) and (CA Key pair). Performing backup to the registry or IIS metabase is required additionally.

Manual backup can be performed via the GUI Console or by using the (certutil) :

  • Manual backup using CA console :

1. From the Start menu, point to Administrative Tools and click Certification Authority. In the console tree, ensure that Certificate Services is running.

3. In the console tree, right-click CA Name, point to All Tasks and click Backup CA.

4. On the Welcome to the Certification Authority Backup Wizard page, click Next.

5. On the Items to Backup page, input the following options:

      • Private Key and CA certificate. Includes the CA’s certificate and private key(s) in the backup set. Select this option only if you are using software CSP. If using hardware CSP, leave this check box cleared.
      •  Certificate database and certificate database log. Always select this option to ensure that you include the CA database and log files in the backup set.
      •  Perform incremental backup. This check box is not usually selected. Full backups of the CA database and log files are recommended instead.
      •  Backup to this location. Select a folder on the local file system that does not contain any existing data.

6. If the Certification Authority Backup Wizard dialog box appears, click OK to create the location designated on the Items to Backup page.

7. If you choose to back up the private key and CA certificate, open the Select a Password page, type and confirm a password to protect the PKCS #12 file generated by the backup procedure, and click Next.

8. On the Completing the Certification Authority Backup Wizard page, click Finish.

Once the backup is complete, open the folder designated in step 5. In the folder, there is a *.p12 file (the PKCS #12 backup of the CA’s certificate and private key) and a sub folder named Database that contains the backup of the CA database and log files.

  • Manual backup using certutil :

If you are using a software CSP, ensure that the backup set includes both the CA database and the CA’s key pair. To do this, use the following procedure:

1. Open a command prompt.

2. At the command prompt, type net start certsvc to ensure that Certificate Services is running.

3. Create a folder that will contain the results of the manual backup of the CA database—for example, C:\CABackup.

4. At the command prompt, type certutil –backup C:\CABackup and press ENTER.

5. At the command prompt, at the Enter New Password prompt, type a complex password and press ENTER.

6. At the command prompt, at the Confirm New Password Prompt, type the same password again and press ENTER.

7. When the backup is complete, ensure there are no error messages and close the command prompt.

You are providing a password to protect the PKCS #12 file containing the CA’s key pair. To create a successful backup of the private key, you must be a local administrator of the computer; to create the backup of the CA database, you can only hold the Common Criteria role of backup operator. In other words, you can only run this command successfully if Common Criteria role separation is not enforced.

If Common Criteria role separation is enforced, you can separate the two backups by running two certutil commands.

To backup only the CA database, a backup operator can use the –backupdb option, as shown here:

1. Open a command prompt.

2. At the command prompt, type net start certsvc to ensure that Certificate Services is running.

3. Create a folder that will contain the results of the manual backup of the CA database—for example, C:\CABackup.

4. At the command prompt, type certutil –backupdb C:\CABackup and press ENTER.

5. When the backup is complete, ensure there are no error messages and close the command prompt.

Likewise, if you are a local administrator and only want to backup the CA’s key pair, you can use the –backupkey option to backup the CA’s private key and public key to a PKCS #12 file.

1. Open a command prompt.

2. At the command prompt, type net start certsvc to ensure that Certificate Services is running.

3. Create a folder that will contain the results of the manual backup of the CA database—for example, C:\CABackup.

4. At the command prompt, type certutil –backupkey C:\CABackup and press ENTER.

5. At the command prompt, at the Enter New Password prompt, type a complex password and press ENTER.

6. At the command prompt, at the Confirm New Password prompt, type the same password and press ENTER.

7. When the backup is complete, ensure there are no error messages and close the command prompt.

Note Ensure that you have included the registry in the backup by including the SystemState in the backup set or by manually backing up the HKLM\System\CurrentControlSet\Services\CertSVc\Configuration\CAName registry key.

So what is my recommendation ? Well, i recommend to take system state backups in daily basis of the CA server, and to schedule a batch file to take backup of the database using the certutil -backupdb to a folder, and then to include this folder on your normal backup cycle. I also recommend if you can export the private key of the CA and keep it safe. Don’t forget to backup  HKLM\System\CurrentControlSet\Services\CertSVc\Configuration\CAName registry key. It contains all your CA configuration

One comment on “PKI – Certificate Authority CA Backup

  1. Pingback: SHA-2 Support – Migrate your CA from CSP to KSP | Ammar Hasayen - Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s