Backing up Windows Server 2008 ADCS CA Keys

re: Backing up Windows Server 2008 ADCS CA Keys

markbcooper — Wed, 02 Feb 2011 18:02:31 GMT

Yes. The Snapshot will be a full backup of the guest operating system and will then give you all the files you need. The downside is the recovery is more difficult if you want to restore just certificate services and not the entire snapshot.

re: Backing up Windows Server 2008 ADCS CA Keys

JayM — Tue, 01 Feb 2011 22:56:47 GMT

In regards to hosting CAs on VMs. Would a Snapshot of the current state of a VM be a suitable backup option?

re: Backing up Windows Server 2008 ADCS CA Keys

markbcooper — Sat, 04 Dec 2010 02:12:44 GMT

No, an additional backup is not required. Using "AllCritical" includes all critical drives, including the Operating System drive. The private keys are stored on the Operating System drive. For more information on "AllCritical", refer to blogs.technet.com/.../deciding-between-system-state-backup-and-allcritical-backup-in-windows-server-2008.aspx.

re: Backing up Windows Server 2008 ADCS CA Keys

Yves — Mon, 29 Nov 2010 09:49:47 GMT

We are using Windows Server Backup on Windows Server 2008 with the option -allcritical. Is it still necessary to backup the CA keys seperately?

re: Backing up Windows Server 2008 ADCS CA Keys

markbcooper — Wed, 06 Oct 2010 19:05:17 GMT

The private key is usually not stored by a Certification Authority for an issued certificate (unless Key Recovery is implemented). So any certificate you export from the CA will NOT contain the private key unless you are explicity performing a Key Recovery. To get a certificate exported from the CA with a command line only approach, you can perform the following steps:

1) Locate the requestID in the database or find another distinguishing attribute (Serial Number, etc...)

2) Run the following two commands. The first exports the certificate in a raw format, the second decodes it into an X509 certificate.

certutil –view –restrict RequestId=<ID FROM STEP1> –out RawCertificate > RequestCert.txt

certutil –decode RequestCert.txt Certificate.cer

If you are using another attribute other than RequestID, the -restrict statement should be changed to the appropriate attribute and value.

re: Backing up Windows Server 2008 ADCS CA Keys

Lakshmi — Wed, 15 Sep 2010 14:09:19 GMT

This may be very trivial, how can i export only the certificate and not the private key of a issued certificate from the CA via command line. e.g a DC certificate.