Dalle & DXter

Backup and restore for Active Directory Certificate Services

By Fredrik "DXter" Jonsson

Since I am very active user and moderator for the Certificate and PKI section on ITProffs.se (Sweden’s largest community for professionals in the IT industry), I see a lot of things regarding what people usually don’t know regarding PKI and ADCS. A quite common question is backup and restore of ADCS, which not the least comes to peoples attention in migration or upgrade scenarios.

 

Many people seems to think that if they backup the CA’s certificate (with private key) they are all right and don’t need to worry any more. However, that is not true! The certificate and it’s associated private key are indeed the CA’s identity and we backup the identity of our CA by backing up our certificate. But we need to backup more things than just that!

 

1. As mentioned, we need to backup the CA’s certificate and associated private key. To keep it simple, use “certutil –backupupKey”. However, if you use a HSM or store your CA’s keys on a Smart Card, the “certutil –backupupKey” command will fail since the private key can not be extracted. In those scenarios, please consult your HSM specific software/CSP/documentation. Regarding CA’s with their keys on Smart Cards, I recommend people to generate the keys outside of the smartcard, archive the keys and then import them on the smartcard. (A guide to enable this for the Base CSP can be found here) If you generate your CA’s key pairs straight on the smartcard you will never be able to restore your CA’s keys if you get a card failure!

 

2. Another very important thing to do is to backup the database and log files for ADCS. Since I like to use certutil, “certutil -backupDB KeepLog” will help us with that task. People usually don’t understand the value of having a fresh copy of the ADCS database, but if I explain it simple: If the CA doesn’t keep any track of which certificates that are issued, then they can not be revoked since they “have not been issued”!

 

3. Backup the ADCS configurations that can be found in the following registry settings: KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration. If you are migrating your CA to another machine and want to change something (like CSP), make all configuration in the registry file before you import it to your target CA.

 

4. Backup your CA’s policy file. Can be found by default under %WINDIR%\CAPolicy.inf.

 

5. CRL’s doesn’t need to be backed up. The CA certificates private key + the ADCS database = can generate new CRL’s and Delta CRL’s.

 

6. Certificate Templates does not need to be backed up since they are stored in Active Directory, not in the CA itself! The only thing you need to do after a migration is to import them again as available templates for that specific CA.

 

7. If you are doing a ADCS migration, please keep the old CA’s computer account and make sure the new CA is using it. In other words, don’t change the computer name for your CA! If you don’t do this, you will loose all references to your CA in your ACL’s. Another thing you will experience is CRL errors for your previously issued certificates since the old CDP is not available anymore.

 

Another thing to think about is that the backup itself can be used to compromise the CA, or in worst case, the entire PKI structure! Please handle your ADCS backups with great care! Not only for the CA’s certificate, but also for the database, since it may contain private keys for issued certificates if key archival is enabled!

 

// Fredrik “DXter” Jonsson

Related posts:

1. Creating your own code signing certificate on a smartcard without an internal PKI
2. My self signed certificate wizard
3. A whole day with PKI ToolBox…
4. Revealing where a certificate is located
5. The BitLocker certificate EKU and Windows Server 2008 R2