Select Page

How to implement a PKI recovery plan

How to implement a PKI recovery plan

PKI recovery plan

If you have deployed Microsoft Certificate Authority and planned your PKI infrastructure well, then congratulations. You made it till here. One of the most important things that you should do right now is to make sure you have full documentation about your deployment, and to consider a PKI recovery plan by putting a solid backup solution for your CA servers. You do not want a failure to disrupt your deployment and users. your PKI recovery plan will help you when you define an SLA for certificate authority.

In this blog post, I will talk from my experience on what components of your CA server you should include in your backup plan, and how to perform the backup operation.

Documentation is everything

Make sure you have a full documentation about your public key infrastructure deployment. Most likely, you would have most of your documentation during the design a PKI hierarchy phase. During that phase, you would have 90% of the information you need when recovering or rebuilding your PKI infrastructure.

After the design phase, comes the implementation phase. When you deploy certification authority servers, you need to have a full documentation of the following:

  • Server name.
  • Server O.S and service pack level.
  • Operating system drives layout.
  • Local administrator account credential.
  • Group policy and any security hardening.
  • inf file.
  • Certification authority configuration settings.
  • Any configuration or maintenance script used.
  • Screen shots for the CA server deployment.

You should have a full documentation that can help you re-build the whole PKI hierarchy in case of a full disaster.

How to backup a certification authority

System State Backup (Full backup ,not differential)

To implement a PKI recovery plan, you should start considering taking backup of your CA servers. System state backups are the preferred method to backup up a CA. It includes the following components related to CA services:

  • CA database: includes information about any certificate issued or revoked.
  • CA key pair: backup should include all versions of CA certificates in case of CA certificate renewal.
  • IIS metabase: important if changes are made to the certificate services web enrollment pages.
  • Certification authority settings: like CRL and AIA locations. All CA settings are stored in the registry under this location  HKLM\System\CurrentControlSet\Services\CertSVc\Configuration\CAName

Backup CA files Through the GUI

Manual backup of certificate authority server can be performed through the CA console. When opening a CA console and choosing to take backup, you have the option to select to backup the CA Database and CA Key pair. Performing backup to the registry or IIS metabase is required additionally.

  • From the Start menu, point to Administrative Tools and click Certification Authority. In the console tree, ensure that Certificate Services is running.
  • In the console tree, right-click CA Name, point to All Tasks and click Backup CA.
  • On the Welcome to the Certification Authority Backup Wizard page, click Next.
  • On the Items to Backup page, input the following options:
    • Private Key and CA certificate. Includes the CA’s certificate and private key(s) in the backup set. Select this option only if you are using software CSP. If using hardware CSP, leave this check box cleared.
    •  Certificate database and certificate database log. Always select this option to ensure that the CA database and log files are included in the backup set.
    •  Perform incremental backup. This check box is not usually selected. Full backups of the CA database and log files are recommended instead.
    •  Backup to this location. Select a folder on the local file system that does not contain any existing data.

PKI recovery

  •  If the Certification Authority Backup Wizard dialog box appears, click OK to create the location designated on the Items to Backup page.
  • If you choose to back up the private key and CA certificate, open the Select a Password page, type and confirm a password to protect the PKCS #12 file generated by the backup procedure, and click Next.
  • On the Completing the Certification Authority Backup Wizard page, click Finish.

Once the backup is complete, open the folder where backup output is generated, and you will notice a *.p12 file (the PKCS #12 backup of the CA’s certificate and private key) and a sub folder named Database that contains the backup of the CA database and log files.

You should also backup the CA configuration settings by exporting this registry key HKLM\System\CurrentControlSet\Services\CertSVc\Configuration\CANameby replacing the CAName with your certification authority name.

Backup CA files through Certutil

If you are using a software CSP, ensure that the backup set includes both the CA database and the CA’s key pair. To do this, use the following procedure:

  • Open a command prompt.
  • At the command prompt, type net start certsvc to ensure that Certificate Services is running.
  • Create a folder that will contain the results of the manual backup of the CA database—for example, C:\CABackup.
  • At the command prompt, type certutil backup C:\CABackup  and press ENTER.
  • At the command prompt, at the Enter New Password prompt, type a complex password and press ENTER.
  • At the command prompt, at the Confirm New Password Prompt, type the same password again and press ENTER.
  • When the backup is complete, ensure there are no error messages and close the command prompt.

You are providing a password to protect the PKCS #12 file containing the CA’s key pair. To create a successful backup of the private key, you must be a local administrator of the computer; to create the backup of the CA database, you can only hold the common criteria role of backup operator. In other words, you can only run this command successfully if Common Criteria role separation is not enforced.

If Common Criteria role separation is enforced, you can separate the two backups by running two Certutil commands.

You should also backup the CA configuration settings by exporting this registry key HKLM\System\CurrentControlSet\Services\CertSVc\Configuration\CANameby replacing the CAName with your certification authority name.

Recommendation

PKI recovery is so important, and you should have a solid backup plan in place. here is my final recommendations:

  1. Take regular system state backup for the machine running your CA server.
  2. Take regular backup of the CA private key, CA database and CA settings located under the previously mentioned registry key.
  3. You can schedule a script that will do the backup actions mentioned in step 2 as shown below.
  4. Take a backup of the CAPolicy.inf file if you have created one explicitly during the CA installation.

Script that will backup your CA files

The script is written by a PKI geek and you can download his PowerShell Script to Backup CA, and evaluate it. The script takes the following parameters:

  • $Path
  • $Type = “Full”or “Incremental”
  • $Password
  • [switch]$BackupKey
  • [switch]$KeepLog
  • [switch]$Extended
  • [switch]$Force

So you can run it by typing:

The script will backup all the previous files in a nice way. I have tested the integrity of the script by trying to restore a CA from the backed up files, and everything was working fine.

PKI recovery 44

You can schedule the script to run every day using Windows Task scheduler and then pull those files to a tape.

 

About The Author

Ammar Hasayen

Ammar is a digital transformer, cloud architect, public speaker and blogger.
He is considered a trusted advisory with the ability to quickly navigate complex multi-cultural organizations and continuously improve and motivate cross-functional teams to achieve higher productivity, collaboration, revenue gain and cross-group knowledge sharing.

His contributions to the tech community helped him get awarded the Microsoft Most Valuable Professional.

Ammar appears in a lot of global conferences, and he has many publications about digital transformation and next generation technologies.

Trackbacks/Pingbacks

  1. SHA-2 Support – Migrate your CA from CSP to KSP | Ammar Hasayen - Blog - […] recall that I had wrote a blog post about how to do such backup here, or you can check…

Leave a reply

Your email address will not be published. Required fields are marked *

Ammar_Hasayen_MVP_1

About Ammar

Digital Transformation | Microsoft MVP | Cloud Architect | Azure | Microsoft 365 |Modern Workplace | Cyber-Security | Blockchain | Speaker | Blogger | IT Director @ Aramex| Jordan | http://me.ahasayen.com

Recent Posts

Pin It on Pinterest