[EDIT 2/20/2012] This problem has recently been resovled in a hotfix update. System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2 - http://support.microsoft.com/kb/2603469
Backing up a Windows Server 2008 (Including 2008 R2) Certification Authority (ADCS) involves a few extra steps compared to earlier versions of Windows. Windows Server 2008 incorporates a change to how the underlying private key store is maintained and linked in the file system. The private key is now stored in the hidden folder structure "%systemdrive%\ProgramData\Microsoft\Crypto\Keys" which is linked and accessible via "%systemdrive%\users\all users\microsoft\crypto\keys". As a result of this change, System State Backups will no longer include the ADCS private keys. It is recommended that the CA keys are backed up to ensure you can properly recover a failed Certification Authority or to migrate to a new computer. In addition to regular System State Backups, we recommend you back up the CA keys using one of the following methods:
In either case, the p12 file that is created is the life-blood of the Certification Authority. It should be kept in a secure and controlled location as access to the p12 file and associated password could enable unauthorized users to create and utilize certificates in your environment. This is the same security requirement prior to Windows Server 2008 System State Backups, as they contained the private key material as well. The CA keys should be backed up anytime the CA keys are renewed or reissued.
EDITED 8/19/2010: Clarified that this applies to both Windows Server 2008 and 2008 R2.
This may be very trivial, how can i export only the certificate and not the private key of a issued certificate from the CA via command line. e.g a DC certificate.
The private key is usually not stored by a Certification Authority for an issued certificate (unless Key Recovery is implemented). So any certificate you export from the CA will NOT contain the private key unless you are explicity performing a Key Recovery. To get a certificate exported from the CA with a command line only approach, you can perform the following steps:
1) Locate the requestID in the database or find another distinguishing attribute (Serial Number, etc...)
2) Run the following two commands. The first exports the certificate in a raw format, the second decodes it into an X509 certificate.
certutil –view –restrict RequestId=<ID FROM STEP1> –out RawCertificate > RequestCert.txt
certutil –decode RequestCert.txt Certificate.cer
If you are using another attribute other than RequestID, the -restrict statement should be changed to the appropriate attribute and value.
We are using Windows Server Backup on Windows Server 2008 with the option -allcritical. Is it still necessary to backup the CA keys seperately?
No, an additional backup is not required. Using "AllCritical" includes all critical drives, including the Operating System drive. The private keys are stored on the Operating System drive. For more information on "AllCritical", refer to blogs.technet.com/.../deciding-between-system-state-backup-and-allcritical-backup-in-windows-server-2008.aspx.
In regards to hosting CAs on VMs. Would a Snapshot of the current state of a VM be a suitable backup option?
Yes. The Snapshot will be a full backup of the guest operating system and will then give you all the files you need. The downside is the recovery is more difficult if you want to restore just certificate services and not the entire snapshot.