Sysadmins LV
Vadims Podāns
Vadims Podāns
  • I work at
PKI Solutions
Microsoft Most Valuable Professional: Windows PowerShell
Protected by Copyscape DMCA Takedown Notice Search Tool

Historical Content Alert

This is a historical content for Windows 2000 product and is presented for informative purposes only. All content on this page is copyrighted and owned by Microsoft.

Backing up and restoring a certification authority

The purpose of backup and restore operations is to protect the certification authority (CA) and its operational data from accidental loss due to hardware or storage media failure.The recommended method to back up a CA is to use Windows 2000 Backup to back up the entire file server.

It is also possible to back up and restore a CA using the Certification Authority snap-in, but this backup method is intended for use only in special cases where you don't want to back up the entire server on which the CA is installed. Using Certification Authority, you can back up and restore the following types of information:

  • Public key, private key, and the CA certificate
  • Certificate database

The public key and private key are backed up or restored using the PKCS #12 PFX format.

The Backup wizard will request that you supply a password when backing up the public and private keys and CA certificate. This password will be needed to restore the CA. See Back up a certification authority for procedures on backing up a CA using the Certification Authority snap-in.

After performing the initial full backup of the CA, you can do incremental backups from that point on. When restoring, you will need to restore the full backup first and then each incremental backup in the order that they were created. See Restore a certification authority from a backup copy for procedures on restoring a CA using the Certification Authority snap-in.

Important

  • In general, you should use Windows 2000 Backup and Windows 2000 Restore to back up and restore both the CA and the server. See Windows 2000 Backup for more information about backing up a Windows 2000 server.

Upon restoring a CA, the Internet Information Services (IIS) metabase must also be restored if it has been damaged or lost. If a damaged or missing IIS metabase is not restored, IIS will fail to start, and that will result in Certificate Services Web pages failing to load. The IIS snap-in is used to back up the IIS metabase. Windows 2000 Backup should be used to back up the IIS Web content pages and the CA.

Upon restoring a CA, the Internet Information Services (IIS) metabase must also be restored if it has been damaged or lost. If a damaged or missing IIS metabase is not restored, IIS will fail to start, and that will result in Certificate Services failing to start. The IIS snap-in is used to back up the IIS metabase. Windows 2000 Backup should be used to back up the IIS Web content pages and the CA.

When restoring a CA, if the database logs are not manually deleted before the restore, the CA will be restored to the point in time of the restore--the database logs will be replayed, and changes made since the last backup will be applied to the database. (The default location of the database logs is systemroot\system32\certlog). If the database logs are manually deleted before the restore, the CA will be restored to the point in time that the backup was performed.

Share this article: