Tagged: Certutil

Backing up and recovering Certificate services

Backup methods

Backup software (Windows Server Backup)

To backup the certificate database, certificate key pairs and certificate services registry settings backup the system state using backup software such as Windows Server backup. If the computer hosting certificate services has a hardware security module then you’ll need third party backup software to backup the CA key pair.

In Windows Server 2008 you can backup the system state from the command line using:

wbadmin start systemstatebackup -backuptarget:z:\backups\... or \\server\backups\...

Certutil or CA console

The certutil command or CA console allows you to backup the CA database, CA key pairs and log files. It does not backup any registry settings or IIS metabase configuration (certificate services web functionality).

certutil -backup z:\backups\…

CA console > All Tasks > Backup CA > follow wizard.

Restore Methods

Backup software

To restore certificate services from a system state backup run the following command:

wbadmin get versions

note the version id of the system state backup

wbadmin start systemstaterecovery -version:{from above} -backuptarget:{backup location} -machine:{if backup sets exists for multiple computers}

Certutil or CA console

This method require you install Windows Server 2008, import the CA certificate into the local computer store, restore the CAPolicy.inf to C:\Windows and reinstall Certificate Services using Existing Private key.

Using certutil or the CA console restore the CA.

certutil -restore z:\backups\…

CA console > All Tasks > Restore CA > follow wizard.


Offline Root CA

Creating an offline Root CA

You would configure an offline root CA to ensure the reliability of your certificate infrastructure.

The root CA is self validating and also issues certificates to subordinate CAs, so if the root is compromised then all the subordinates are compromised too.

In order to create an offline CA you need to follow the steps below: (The steps below assume you have a DNS A record for enterpriseca pointing to the enterprise subordinate CA)

  1. Install a root CA on Microsoft Windows Server 2008 that is not a member of a domain
  2. Set the default certificate request policy to request pending.
  3. Configure the Certificate Revocation List (CRL) distribution point.
    1. Remove the http://, ldap:// and file:// distribution points and uncheck Publish Delta CRLs to this location.
    2. Add a http distribution point: http://enterpriseca/certenroll/<CA Name>.crl e.g. http://enterpriseca/certenroll/rootca-ca.crl and check Include in CDP extension of issued certificates.
    3. For the c:\windows\… distribution point ensure only Publish CRLs to this location is checked.
  4. Configure the Authority Information Access (AIA) distribution point.
    1. Remove the http://, ldap:// and file:// distribution points.
    2. Add a http distribution point: http://enterpriseca/certenroll/<hostname_CA Name>.crt e.g. http://enterpriseca/certenroll/rootca_rootca-ca.crt
  5. Publish the Root CA CRL list in Active Directory.
    1. certutil -setreg ca\DSConfigDN “CN=Configuration,DC=Domain,DC=com”
    2. certutil -setreg ca\DSDomainDN “DC=Domain,DC=com”
  6. Copy the CRL and CA certificates from the Root CA to the distribution points.
  7. Add the CA certificate to the Trusted Root Certification Authorities store (using a GPO or manual installation).
  8. Turn off root CA.

A good article I found which details the installation of an offline root CA and subordinate CA, step-by-step is here