Backing up and restoring a certification authority

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Backing up and restoring a certification authority

The purpose of backup and restore operations is to protect the certification authority (CA) and its operational data from accidental loss due to hardware or storage media failure. The recommended method to back up a CA is to use Backup (included with the operating system) to back up the entire server, including the system state which contains the CA's data.

Warning

The procedures discussed in this article demonstrate how to back up only the certification authority (CA) database and private key. If you want to back up the CA database, private key, and CA configuration, see the backup procedures in AD CS Migration: Migrating the Certification Authority (https://technet.microsoft.com/library/ee126140.aspx). To back up all the configuration data for a computer, run a System State Data backup (https://technet.microsoft.com/library/cc781353.aspx).

It is also possible to back up and restore a CA using the Certification Authority snap-in, but this backup method is intended for use only in special cases where you do not want to back up the entire server on which the CA is installed. Using the Certification Authority snap-in, you can back up and restore the following types of information:

  • Private key, and the certificate that the CA uses for digitally signing

  • Certificate database

The public key and private key are backed up or restored using the PKCSĀ #12 PFX format.

The Backup or Restore Wizard will ask you to supply a password when backing up the public and private keys and CA certificate. This password will be needed to restore the CA. For procedures on backing up a CA using the Certification Authority snap-in, see Back up a certification authority.

After performing the initial full backup of the CA, you can do incremental backups from that point on. When restoring, you will need to restore the full backup first and then each incremental backup in the order that they were created. For procedures on restoring a CA using the Certification Authority snap-in, see Restore a certification authority from a backup copy.

Important

  • In general, you should use Backup to back up and restore both the CA and the server. For more information about backing up a Windows ServerĀ 2003 family computer, see Backup.

Upon restoring a CA, the Internet Information Services (IIS) metabase must also be restored if it has been damaged or lost. If a damaged or missing IIS metabase is not restored, IIS will fail to start, and that will result in Certificate Services Web pages failing to load. The IIS snap-in is used to back up the IIS metabase. Backup should be used to back up the IIS Web content pages and the CA. An alternative method is to recreate the IIS metabase and then use the certutil.exe -vroot command at a command line to reconfigure the IIS server to support the CA Web pages.

When restoring a CA, if the database logs are not manually deleted before the restore, the CA will be restored to the point in time of the restore--the database logs will be replayed, and changes made since the last backup will be applied to the database. (The default location of the database logs is systemroot\system32\certlog). If the database logs are manually deleted before the restore, the CA will be restored to the point in time that the backup was performed.

For more information on backup, restore, and verification of a CA backup, see Certutil tasks for backing up and restoring certificates.