How to back up and restore a certificate store

How to back up and restore a certificate store

Generally speaking, nobody is going to argue the point that you should back up your servers on a regular basis. Even so, some servers are definitely more important to back up than others. While it's important to back up your domain controllers, for example, it isn't absolutely critical in most cases. If a domain controller fails, another domain controller can usually take over until the failed server can be brought back online. But one type of server that is critical to backup is your enterprise certificate authority.

    Requires Free Membership to View

    Login

    When you register for SearchDataBackup.com, you’ll also receive targeted emails from my team of award-winning editorial writers. Because your job never seems to get any easier, it’s our goal to keep you up-to-date on the latest backup tips, trends and technologies that will help you get the job done.

    Rich Castagna, Editorial Director

    By submitting your registration information to SearchDataBackup.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchDataBackup.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

If files are encrypted with certificates, and those certificates are lost, then there is no way of decrypting the file.
,
An enterprise certificate authority is responsible for issuing certificates to the users and computers on your network. These certificates are used by a variety of applications as a means of encrypting data, proving a user's identity and verifying that data has not been tampered with. If you lose certificates, you lose data. If files are encrypted with certificates, and those certificates are lost, then there is no way of decrypting the file. Of course, certificates are also used for other purposes such as identity management and authentication. The point is -- your certificates are not something you can afford to lose.

The easiest way to back up an enterprise certificate authority is to simply perform a full, system state backup of the server that is running the certificate services. This allows you to restore the certificate store, the Windows operating system, and even the Active Directory database (assuming that the certificate services are running on a domain controller).

However, it's not always practical to perform a full-blown system state backup on a daily basis. Although it is a good idea to perform a full, system state backup of your certificate authority on at least a monthly basis, there are occasions when it may be more practical to just back up the certificate store than to back up the entire server.

The exact method of backing up the certificate store varies a little bit depending upon the version of Windows that the server is running. For the purposes of this article, we'll assume the server is running Windows Server 2008.

Begin by logging on to your enterprise certificate authority using an account that has administrative permissions. Next, choose the Certificate Authority command from the server's Administrative Tools menu. When you do, Windows will open the Certification Authority console.

Just below the Certification Authority (Local) node in the console tree, there will be a node that uses the fully qualified domain name of your certificate authority server. Right-click on this node and then select the All Task | Back Up CA commands from the resulting shortcut menus. This will cause Windows to launch the Certification Authority Backup Wizard.

Click Next to bypass the wizard's welcome screen. You will see a screen that asks you which items you want to back up. Be sure to choose the Private Key and CA Certificate check, and the Certificate Database and Certificate Database Log check box. You will need to select both of these components in order to get a full backup of the certificate store.

The next thing that you will have to do is to enter a path for the backup into the Backup to this Location field. Keep in mind that the path that you enter must correspond to a folder that is completely empty.

Click Next and you will be prompted to enter and confirm the password that you want to use in order to gain access to the backup file that you are creating. Although it is generally considered to be a bad practice to write down passwords, I would recommend writing down this password, sealing it in an envelope and locking the envelope in a safe. The reason why I say this is because of the critical nature of the backup. You don't want to end up in a situation in which nobody can restore the certificates because no one knows the password that was used.

When you click Next, you will see a summary screen that confirms you are backing up the Private Key and CA Certificate and the Issued Log and Pending Request. Click Finish to create the backup.

The restore process

Restoring the backup you made is very similar to the process that you used to make the backup. To restore the backup, right-click on the node in the Certification Authority console that bears the name of the server that you want to restore. Choose the All Tasks | Restore CA commands from the resulting shortcut menus. Next, just follow the prompts to complete the restore process.

About the author: Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful backup tip, timesaver or workaround? Email the editors to talk about writing for SearchDataBackup.com.

This was first published in December 2008

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top