Monday, June 20, 2011

Manual Backup and restore CA

Apparently we can achieve CA backup through two methods: Windows server backups and manual Backup using the Certification Authority console or certutil.exe, let’s call Certification Authority console and certutil.exe Manual Backup.
What will cover here:
1.       Performing Manual Backups
2.       Restoring Manual Backups
3.       What’s next
Before we start, I would like to give you some background. Recently I tried to put my offline Root CA to domain and reuse this VM for my lab testing, but found out I couldn’t do it because AD CS role installed. So I did this Certification Authority Backup and restore, backup and remove AD CS role, so I can put the machine to AD and then restore offline Root CA, tested the online issue CA works exactly like nothing happened.
The following paragraph was quoted from “ Windows Server 2008 PKI and Certificate Security” by Brian Komar.

Performing Manual Backups


Manual backups can be performed from either the Certification Authority console or the command line by using the certutil.exe command.

Using the Certification Authority Console

Use the following procedure to perform the backup:

1.       From the Start menu, point to Administrative Tools, and then click Certification Authority.
2.       In the console tree, ensure that Certificate Services is running.
3.       In the console tree, right-click CAName, point to All Tasks, and then click Backup CA.
4.       On the Welcome To The Certification Authority Backup Wizard page, click Next.
5.       On the Items To Backup page, input the following options:
Ø Private Key And CA Certificate Includes the CA’s certificate and private key(s) in the backup set. Select this check box only if you are using software CSP. If using a hardware CSP, leave this check box cleared.
Ø Certificate Database And Certificate Database Log  Always select this check box to ensure that you include the CA database and log files in the backup set.
Ø  Perform Incremental Backup This check box is not usually selected. Full backups of the CA database and log files are recommended instead.
Ø  Backup To This Location Select a folder on the local file system that does not contain any existing data.
6.       If the Certification Authority Backup Wizard dialog box appears, click OK to create the location designated on the Items To Backup page.
7.       If you choose to back up the private key and CA certificate, open the Select A Password page, type and confirm a password to protect the PKCS #12 file generated by the backup procedure, and then click Next.
8.       On the Completing The Certification Authority Backup Wizard page, click Finish.

*.p12 file     the PKCS #12 backup of the CA’s certificate and private key

Certutil Commands


1.       Open a command prompt.
2.       At the command prompt, type net start certsvc to ensure that Certificate Services is running.
3.       Create a folder that will contain the results of the manual backup of the CA database—for example, C:\CABackup.
4.       At the command prompt, type certutil –backup C:\CABackup –p password, and then press Enter.
5.        At the command prompt, at the Enter New Password prompt, type a complex password,
6.        At the command prompt, at the Confirm New Password Prompt, type the same password again, and then press Enter.
7.       When the backup is complete, ensure there are no error messages, and then close the command prompt.


To back up only the CA database, a backup operator can use the –backupdb option, At the command prompt, type certutil –backupdb C:\CABackup.
to back up only the CA’s key pair, you can use the -backupkey option to back up the CA’s private key and public key to a PKCS #12 file. certutil –backupkey C:\CABackup


Restoring a Manual Backup

Before you do the restore, make sure all the backup you previously did are available to the CA.

Reinstalling Certificate Serveices



1.       On the Set Up Private Key page, click Use Existing Private Key, select the Select A Certificate And Use Its Associated Private Key check box.
The cryptographic service provider (CSP) is automatically set to the CSP used to generate the existing private key

2.    On the Configure Certificate Database page, set the storage locations to the same database and log locations used by the original CA (same drive letters).

Restoring Manual Backups

A manual backup, whether it was created with certutil or the Certification Authority console, can be restored by using the Certification Authority console, using the following procedure:
1.    From the Start menu, point to Administrative Tools, and then click Certification Authority.
2.    In the console tree, click CAName.
3.    In the console tree, right-click CAName, point to All Tasks, and then click Restore CA.
4.    In the Certification Authority Restore Wizard, click OK to stop Certificate Services during the restore procedure.
5.    On the Welcome To The Certification Authority Restore Wizard page, click Next.
6.    On the Items To Restore page, select the Certificate Database And Certificate Database Log check box. If required, select the Certificate Key and CA Certificate check boxes, and then click Browse.
7.    In the Browse For Folder dialog box, select the folder that contains the manual backup files, and then click OK.
8.    On the Items To Restore page, click Next.
9.    On the Completing The Certification Authority Restore Wizard, click Finish.
10.  In the Certification Authority Restore Wizard dialog box, click Yes.
11.  Verify that Certificate Services starts successfully.


What is the next

Import the CRL file to online CA, restarted the AD CS service, the services started. So everything goes back to normal.
My question here is, I always manually copy the CRL file from the offline server to online CA and run certutil -addstore -f Root  "*.crl"  command, is there a easy way to do this?

12 comments:

  1. Hi friends, This is Chandrika from Chennai. I did Unix certification course in Chennai at Fita academy. This is really useful for me to make a bright career. Suppose if anyone interested to learn Unix Training in Chennai please visit Fita academy located at Chennai.

    ReplyDelete
  2. No need to restore your information if y use vdr data room, it's very easy to manage and all the documents keep in safe.

    ReplyDelete
  3. • Thanku for shariong..
    Informatica training, in the recent times has acquired a wide scope of popularity amongst the youngsters at the forefront of their career.
    informatica training in chennai

    ReplyDelete
  4. This is excellent information. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
    Android Training in Chennai
    Ios Training in Chennai

    ReplyDelete
  5. Good and first-rate blog post, thanks for sharing your facts.. It's miles very useful to me java training institute in chennai

    ReplyDelete
  6. Thanks for your marvelous posting! It is very useful and good. Come on. I want to introduce an get app installs, I try it and I feel it is so good to rank app to top in app store search results, have you ever heard it?

    ReplyDelete
  7. Thank you a lot for providing individuals with a very spectacular possibility to read critical reviews from this site.

    oracle training in Chennai


    ReplyDelete
  8. I feel really happy to have seen your webpage and look forward to so many more entertaining times reading here. Thanks once more for all the details.
    Hadoop Training Institute In chennai
    amazon-web-services-training-in-bangalore

    ReplyDelete
  9. I am really happy with your blog because your article is very unique and powerful for new reader.
    Click here:
    Selenium Training in Chennai | Selenium Training in Bangalore | Selenium Training in Pune

    ReplyDelete