Developing Recovery Plans

  • Article

You can develop recovery plans to help restore CAs if certificate services fail or CAs are compromised. It is recommended that you test recovery plans to ensure that they work as intended. Hold training sessions for your staff to ensure that they know how to use the recovery plans.

Recovery plans can include the following:

  • Recovery procedures and checklists for administrators to follow

  • Recovery toolkits or pointers to the toolkits

  • Contingency plans

Failed Certification Authority

A CA can fail for a variety of reasons, such as a server hard disk crash, a failed network card, or a server motherboard failure. Some failures can be corrected quickly by locating and correcting the problem within the CA server. For example, you can replace a failed network card or a failed motherboard and restart the computer to restore certificate services.

If a hard disk has failed, you can replace the hard disk and restore the server and the CA from the most recent backup set. If the CA is damaged or corrupted, you can restore the CA from the server's most recent backup set. If you must replace the server, configure the new server with the same network name and IP address as the failed CA server. Then install the CA with the original configuration information and the original private key and certificate for the CA.

Select the Windows Component wizard Advanced options when you are installing the CA to enable you to reuse the key and the associated certificate. In the Public and Private Key Selection page, you must click Use existing keys , select the key from the list, and then click Use the associated certificate . You can also click Import to import a private key from archives. The CA information that is contained in the certificate is automatically used for the CA Identifying Information page. The CA is installed as the original CA.

If Use the associated certificate is grayed out, you cannot use the subject information contained in the certificate. If so, you must configure the CA Identifying Information page exactly as the original, or else the process cannot work. Furthermore, on the CA Certificate Request page, you must click Save the request to a file instead of requesting a certificate from an online CA (otherwise, the parent CA issues a new certificate for the CA). After the CA is installed, you can use the Certification Authority console to install the original certificate to certify the CA.

You must click Preserve existing certificate database on the Data Storage Location page to preserve an existing CA database. Otherwise, you might overwrite the existing database and destroy the information that is contained in the database.

It is important to keep in mind that only the associated certificate works with the private key because the certificate contains the complementary public key. It is also important to remember that the identifying information for the CA must match the Subject information in the certificate Subject field verbatim or else the CA does not work. The following information that is entered on the CA Identifying Information page during installation of the CA is used for the certificate Subject field:

  • CA name

  • Organization

  • Organizational unit

  • Locality

  • State or province

  • Country/region

  • E-mail

The information in the Subject field is case sensitive, so review the information on the CA Identifying Information page carefully before you complete the installation process. You can view a certificate's Subject information with the Certificate Details dialog box by selecting Subject .

After a replacement CA is installed and running, you can use Windows 2000 Backup or the Certification Authorities Restore wizard to restore the CA configuration data from the most recent backup set.

Compromised Certification Authority

When a CA is found to be compromised, the only solution is to revoke the CA's certificate. Revoking a CA's certificate invalidates the CA and its subordinate CAs, as well as invalidating all certificates issued by the CA and its subordinate CAs. If you discover a compromised CA, it is recommended that you perform the following activities as soon as possible:

  • Revoke the compromised CA's certificate.

  • Publish a new CRL containing the revoked CA certificate.

  • Remove compromised CA certificates from Trusted Root Certification Authorities stores and CTLs.

  • Notify all affected users and administrators of the compromise and inform them that certificates issued by the affected CAs are being revoked.

  • Repair security holes that led to the compromise.

To restore the CA hierarchy, you must redeploy new CAs to replace the compromised hierarchy. You must then reissue the appropriate certificates to users, computers, and services.