Backing Up and Restoring Certification Authorities

It is recommended that CAs be backed up regularly so that the CA can be restored if there is a server disaster such as a hard disk failure. If a hard disk fails, you can lose data that has changed since the last back up, such as the following information:

  • Changes to the configuration of Certificate Services

  • Record of certificates issued

  • Record of certificate requests

  • Certificate request queue

  • Record of certificates revoked

To minimize the effect of a server disaster, you can use Windows 2000 Backup to back up and restore the CA as part of your server backup and restore program. You also can back up and restore the Certificate Services configuration data, the private key, the certificate, and the certificate database for the CA by using the Certification Authority console.

Windows 2000 Backup and Restore

You can use Windows 2000 Backup to schedule and perform periodic backups for the server where the CA is installed. If the server fails (for example, as a result of a hard disk failure), you can use Windows 2000 Backup to restore the server and its services by using the most current backup set.

In Windows 2000 Backup, schedule and perform the following types of backups:

  • Normal (full) backups. Backs up the entire server file system and the system state.

  • Differential backups. Backs up all changes to the server file system and the system state since the last normal backup.

  • Incremental backups. Backs up all changes to the server file system and the system state since the last back up.

Although you have the option of backing up the file system without the system state, back up files with the system state to ensure full recovery of the server. Because Certificate Services depends on the Web Enrollment Support pages, you must also make sure to backup Internet Information Services at the same time.

Windows 2000 Backup supports a wide range of storage devices, such as hard disks, tape drives, removable disks, recordable CDs, or an entire library of disks or tapes organized into a media pool and controlled by a robotic changer. For more information about how to use Windows 2000 Backup, see Windows 2000 Server Help.

Certification Authority Console Backup and Restore

You can use the Certification Authority Backup wizard and the Certification Authority Restore wizard (available from the Certification Authority console) to back up and restore the following types of CA data:

  • Private key and certificate

  • Certificate database

You can back up all data or only selected data for the CA. For example, you can backup only the private key and certificate, or you can back up only the certificate database. You also can choose to perform a normal (full) backup or an incremental back up. You can back up CA data to an empty folder on any NTFS, FAT, or FAT32 storage device that is supported by Windows 2000.

If a server disaster occurs, you can restore the CA from the most current backup set. You must first restore the last normal backup, and then restore each incremental backup in the order in which they were backed up.

When you back up the CA's private key, you must provide a password. The private key is stored in a password-protected, encrypted format for protection and confidentiality of the key. You must supply the original password before you are permitted to restore the private key. For more information about how to use the Certification Authority console to backup and restore CAs, see Certificate Services Help.

Backup Strategies

It is recommended that you schedule and perform frequent backups to ensure that the CA can be restored with the minimum disruption to Certificate Services. Typical backup strategies usually include the following combinations of periodic normal (full), differential, and incremental backups.

Daily Normal Backups    Normal backups are the most complete and easiest to restore. However, normal backups take the most time, consume the most storage space, and place the greatest load on servers and the network.

Weekly Normal and Daily Differential Backups    Daily differential backups take less time, consume less storage space, and place less load on servers and the network than daily normal backups do. However, restoring the data takes longer because you must restore the last normal backup and then the last differential backup.

Weekly Normal and Daily Incremental Backups    Daily incremental backups take less time, consume less storage space, and place less load on servers and the network than daily differential backups do. However, restoring the data takes longer because you must restore the last normal backup and each incremental backup in order since the last normal backup.

In addition, you can alternate normal backups with differential or incremental backups at any interval that meets your needs. For example, you might want to perform normal backups every three days and perform daily differential backups in between the normal backups.

Choose backup strategies that meet the backup storage capacity and load restrictions of your networks. Back up Certificate Services at least daily so that no more than one day's worth of certificate transactions is lost if the hard disk that contains the certificate database fails.

In addition to routine backups, you can use the Certification Authority Backup wizard to create an archive that contains the CA's private key, certificate, and configuration data. The archive is then updated only when the CA's data changes. The archive can be used to restore CAs to service even if something happens to the routine backup sets.

Restore Considerations

When the restore of a CA is complete, it is important that you make a new full backup of the certificate server database. This is necessary to truncate the restored log files and to establish a base backup set for future restores. Backups that are performed after a restore cannot be mixed with backups (either full or incremental) that are taken before the restore — that is, after a Certificate Services database is restored and has progressed to a subsequent state, you cannot use the prerestoration backups to restore the database to that subsequent state.

When you are restoring a failed CA with Windows 2000 Backup, you must restore Internet Information Services as well as Certificate Services, or else Internet Information Services fails to start when the system is restarted. Certificate Services requires that the Internet Information Services be running to support the Web Enrollment Support pages.

When you are restoring Certificate Services, if the database logs are not manually deleted, Certificate Services is brought up-to-date. If the logs are manually deleted, Certificate Services is restored to the point in time that the backup was performed. By default, the certificate database and the request log are installed at the following location:

<
Drive
:>WINNT\System32\CertLog

where < Drive: > is the letter of the drive where the CA is installed.