Create a backup of a certification authority

Professional operation of a Certification Authority also includes the regular creation of backups.

The following describes which components need to be backed up and the associated procedure.

The following steps are deliberately solved via the command line so that they can be automated in a backup script.

Securing the private key material

The backup of the private key material of a certification authority is deliberately not performed on a regular basis. A detailed description of this process can be found in the article "Create a backup of the private key of a certification authority" described.

Securing the certification authority data

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Regular assurance of a Certification Authority includes the following essential components:

  • The certification authority policy file (capolicy.inf).
  • The issued certificates, i.e. certificate authority database and if set up the emails from the SMTP exit module.
  • The registry of the Certification Authority.

This data is sufficient to be able to restore the certification authority in an emergency. In addition, it makes sense to include the following components in the regular backup:

  • The registry of the Certification Authority in human-readable format.
  • A list of revocation lists published on the certification authority.
  • The certification authority certificates (without private keys) and revocation lists (for performing emergency signing).
  • The security event log of the certification authority.
  • The certificate templates belonging to the certification authority in human-readable format.
  • The Active Directory objects belonging to the certification authority
  • Additionally, scripts and scheduled tasks set up for the operation of the certification authority (e.g. Copy scripts for the blacklists).
  • If available, the installation and configuration files for the hardware security module.

Backup of the certification authority policy file (capolicy.inf)

The certificate authority policy file (capolicy.inf) describes basic configuration settings for a certificate authority. It is located in C:\Windows\System32. It is sufficient to make a copy of the file.

Backup of the Certification Authority database

The certification authority database contains a log of all certificates issued and revoked by the certification authority, as well as certificate requests that have not yet been processed, failed or rejected. If activated, the private keys of the issued certificates are also archived in encrypted form.

The certification authority database can be backed up with the following command line command:

certutil -backupdb {path-to-backup}

Optionally, a Verification of the integrity of the certification authority database backup be made.

Securing the certification authority registry

The registry of the certification authority contains all configuration settings for the certification authority. It is located under "HKLM\System\CurrentControlSet\Services\CertSvc". It can be saved with the following command line command:

reg export "HKLM\System\CurrentControlSet\Services\CertSvc" "{Path-to-backup}\CertSvc.reg"

Backup of the certification authority registry (in human-readable format)

The previously performed exoport contains the settings in machine-readable form. In order to be able to read the settings during the Restoration of a certification authority To gain insight into the configuration, it is helpful to keep a human-readable variant of the information. This can be created with the following command line commands.

certutil -v -getreg > "{Path-to-backup}\GetReg.txt"
certutil -v -getreg CA > "{Path-to-backup}\GetReg_Ca.txt"
certutil -v -getreg CA\CSP > "{Path-to-backup}\GetReg_Ca_Csp.txt"

Securing certification authority certificates and revocation lists

For the Emergency signing of the blacklists and the Restoration of certification authority certificates when using a hardware security module the CertEnroll folder under C:\Windows\System32\CertSrv should be backed up.

Securing the security event log of the certification authority

Provided that the auditing of certification authority events has been configured correctly, all security-relevant operations of the certification authority are written to the security event log. If no central collection of the event log is implemented in the network, it may be useful to include the security event log in the backup to allow for later forensic analysis. The security event log can be backed up using the following command line command:

wevtutil export-log Security "{Path-to-backup}\EventLog_Security.evtx"

Securing a list of certificate templates published on the certification authority

This information is stored in Active Directory, but it may be useful to save a list of certificate templates published on the certificate authority for later use. This can be achieved with the following Windows PowerShell command.

Get-CATemplate | Foreach-Object { $_.Name } | Out-File -FilePath "{Path-to-Save}\CATemplates.txt" -Encoding String -Force

Securing the certificate templates belonging to the certification authority in human-readable format

To save the current configuration of certificate templates bound to the certification authority, the following Windows PowerShell command can be used based on the previously created list:

Get-Content -Path "{Path-to-backup}\CATemplates.txt" | ForEach-Object { certutil -v -template $_ } {Path-to-backup}\$_.txt}

Related links:

en_USEnglish