Problem solve Get help with specific problems with your technologies, process and projects.

How to back up and restore a certificate store

One type of server that is critical to back up is your enterprise certificate authority. If you lose your certificates, you lose data.

Generally speaking, nobody is going to argue the point that you should back up your servers on a regular basis. Even so, some servers are definitely more important to back up than others. While it's important to back up your domain controllers, for example, it isn't absolutely critical in most cases. If a domain controller fails, another domain controller can usually take over until the failed server can be brought back online. But one type of server that is critical to backup is your enterprise certificate authority.

An enterprise certificate authority is responsible for issuing certificates to the users and computers on your network. These certificates are used by a variety of applications as a means of encrypting data, proving a user's identity and verifying that data has not been tampered with. If you lose certificates, you lose data. If files are encrypted with certificates, and those certificates are lost, then there is no way of decrypting the file. Of course, certificates are also used for other purposes such as identity management and authentication. The point is -- your certificates are not something you can afford to lose.

The easiest way to back up an enterprise certificate authority is to simply perform a full, system state backup of the server that is running the certificate services. This allows you to restore the certificate store, the Windows operating system, and even the Active Directory database (assuming that the certificate services are running on a domain controller).

However, it's not always practical to perform a full-blown system state backup on a daily basis. Although it is a good idea to perform a full, system state backup of your certificate authority on at least a monthly basis, there are occasions when it may be more practical to just back up the certificate store than to back up the entire server.

If files are encrypted with certificates, and those certificates are lost, then there is no way of decrypting the file.

The exact method of backing up the certificate store varies a little bit depending upon the version of Windows that the server is running. For the purposes of this article, we'll assume the server is running Windows Server 2008.

Begin by logging on to your enterprise certificate authority using an account that has administrative permissions. Next, choose the Certificate Authority command from the server's Administrative Tools menu. When you do, Windows will open the Certification Authority console.

Just below the Certification Authority (Local) node in the console tree, there will be a node that uses the fully qualified domain name of your certificate authority server. Right-click on this node and then select the All Task | Back Up CA commands from the resulting shortcut menus. This will cause Windows to launch the Certification Authority Backup Wizard.

Click Next to bypass the wizard's welcome screen. You will see a screen that asks you which items you want to back up. Be sure to choose the Private Key and CA Certificate check, and the Certificate Database and Certificate Database Log check box. You will need to select both of these components in order to get a full backup of the certificate store.

The next thing that you will have to do is to enter a path for the backup into the Backup to this Location field. Keep in mind that the path that you enter must correspond to a folder that is completely empty.

Click Next and you will be prompted to enter and confirm the password that you want to use in order to gain access to the backup file that you are creating. Although it is generally considered to be a bad practice to write down passwords, I would recommend writing down this password, sealing it in an envelope and locking the envelope in a safe. The reason why I say this is because of the critical nature of the backup. You don't want to end up in a situation in which nobody can restore the certificates because no one knows the password that was used.

When you click Next, you will see a summary screen that confirms you are backing up the Private Key and CA Certificate and the Issued Log and Pending Request. Click Finish to create the backup.

The restore process

Restoring the backup you made is very similar to the process that you used to make the backup. To restore the backup, right-click on the node in the Certification Authority console that bears the name of the server that you want to restore. Choose the All Tasks | Restore CA commands from the resulting shortcut menus. Next, just follow the prompts to complete the restore process.

About the author:
Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. You can visit Brien's personal website at 

Do you have comments on this tip? Let us know.

This was last published in December 2008

Dig Deeper on Data backup security



Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I’m having a problem.   I am attempting to migrate CA from a 2003 server to a 2012 server

When I get to the part of restoring the CA on the 2012 server, I keep getting this error message: “The unexpected data does not exist in this directory. Please choose a different directory. The system cannot find the file specified. 0x800700002 (WIN32: 2)”; which is weird because the files are there in backup folder, and they have been altered in any way that I can think of. 

What am I doing wrong?