Backing up Windows Server 2008 ADCS CA Keys
[EDIT 2/20/2012] This problem has recently been resovled in a hotfix update. System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2 - https://support.microsoft.com/kb/2603469
Backing up a Windows Server 2008 (Including 2008 R2) Certification Authority (ADCS) involves a few extra steps compared to earlier versions of Windows. Windows Server 2008 incorporates a change to how the underlying private key store is maintained and linked in the file system. The private key is now stored in the hidden folder structure "%systemdrive%\ProgramData\Microsoft\Crypto\Keys" which is linked and accessible via "%systemdrive%\users\all users\microsoft\crypto\keys". As a result of this change, System State Backups will no longer include the ADCS private keys. It is recommended that the CA keys are backed up to ensure you can properly recover a failed Certification Authority or to migrate to a new computer. In addition to regular System State Backups, we recommend you back up the CA keys using one of the following methods:
- From a command prompt on the Certification Authority, perform a full CA backup by using the command certutil –backupKey <destination folder> . You will be prompted for a password to assign to the CA key p12 file.
- By using the Certification Authority Administrative Tool MMC, right click the CA, All Tasks, Backup CA. The wizard will prompt you to select the Private Key to back up and a password to assign to the key.
In either case, the p12 file that is created is the life-blood of the Certification Authority. It should be kept in a secure and controlled location as access to the p12 file and associated password could enable unauthorized users to create and utilize certificates in your environment. This is the same security requirement prior to Windows Server 2008 System State Backups, as they contained the private key material as well. The CA keys should be backed up anytime the CA keys are renewed or reissued.
EDITED 8/19/2010: Clarified that this applies to both Windows Server 2008 and 2008 R2.
Comments
Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
No, an additional backup is not required. Using "AllCritical" includes all critical drives, including the Operating System drive. The private keys are stored on the Operating System drive. For more information on "AllCritical", refer to blogs.technet.com/.../deciding-between-system-state-backup-and-allcritical-backup-in-windows-server-2008.aspx.Anonymous
January 01, 2003
Yes. The Snapshot will be a full backup of the guest operating system and will then give you all the files you need. The downside is the recovery is more difficult if you want to restore just certificate services and not the entire snapshot.Anonymous
September 15, 2010
The comment has been removedAnonymous
November 29, 2010
We are using Windows Server Backup on Windows Server 2008 with the option -allcritical. Is it still necessary to backup the CA keys seperately?Anonymous
February 01, 2011
In regards to hosting CAs on VMs. Would a Snapshot of the current state of a VM be a suitable backup option?Anonymous
February 06, 2014
That’s a tricky point that can lead to serious problems. How can you restore ADCS database if you doAnonymous
December 29, 2014
Whether Issuing CA also have private keys and hence we need to apply the patch specified above