Backing up and recovering Certificate services

Backup methods

Backup software (Windows Server Backup)

To backup the certificate database, certificate key pairs and certificate services registry settings backup the system state using backup software such as Windows Server backup. If the computer hosting certificate services has a hardware security module then you’ll need third party backup software to backup the CA key pair.

In Windows Server 2008 you can backup the system state from the command line using:

wbadmin start systemstatebackup -backuptarget:z:\backups\... or \\server\backups\...

Certutil or CA console

The certutil command or CA console allows you to backup the CA database, CA key pairs and log files. It does not backup any registry settings or IIS metabase configuration (certificate services web functionality).

certutil -backup z:\backups\…

CA console > All Tasks > Backup CA > follow wizard.

Restore Methods

Backup software

To restore certificate services from a system state backup run the following command:

wbadmin get versions

note the version id of the system state backup

wbadmin start systemstaterecovery -version:{from above} -backuptarget:{backup location} -machine:{if backup sets exists for multiple computers}

Certutil or CA console

This method require you install Windows Server 2008, import the CA certificate into the local computer store, restore the CAPolicy.inf to C:\Windows and reinstall Certificate Services using Existing Private key.

Using certutil or the CA console restore the CA.

certutil -restore z:\backups\…

CA console > All Tasks > Restore CA > follow wizard.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.