How to Use Key and Certificate Backup/Restore Utility
ID: Q185195
|
The information in this article applies to:
-
Microsoft Internet Information Server version 4.0
-
Microsoft Certificate Server version 1.0
SUMMARY
This document describes how to use the key and certificate backup/restore
utility to protect keys and certificates for Microsoft Certificate Server.
MORE INFORMATION
This utility applies specifically to the keys and certificates issued by
Certificate Server. This utility is not designed to back up or restore
certificates issued to other Certificate Authorities (CAs). This utility
does not apply to log and database files used by Microsoft Certificate
Server.
Mechanics
The existing certutil command-line utility has been enhanced to include
backup and restore options.
The syntax is as follows:
certutil -backup <password> <filename>
certutil -restore <password> <filename>
The value for <password> is used to secure the <filename>. Using the
password and file name on the Restore option allows an encrypted file
containing keys and certificates to be restored. The file contains the
Certificate Authority's private key and certificate encrypted using PFX
(PKCS #12). PKCS #12 is a part of the Public Key Cryptography Standards
(PKCS) series from RSA Data Security, Inc. It is a standard for securely
exporting and importing private material, including private keys.
For additional information about RSA Data Security, please see the
following Web page:
http://www.rsa.com
Example 1
The following example demonstrates how the keys and certificates are saved
to C:\Backup\Certfile:
C:\>Certutil -backup Pswd C:\Backup\Certfile
In this example, the password is Pswd, and the file containing the
encrypted keys and certificates is named Certfile in the directory
C:\Backup. To restore the same keys and certificates, use the following:
C:\>Certutil -restore Pswd C:\Backup\Certfile
Example 2
In this example, the keys and certificates for an existing Certificate
Server application are backed up from a first computer and restored to a
second computer.
- The administrator enters the backup command from the first computer.
The following command backs up the keys and certificates for
CA_YOURCANAME to c:\backup\yourcertfile:
C:\>Certutil -backup yourpswd c:\backup\yourcertfile
NOTE: Be sure to choose your own password and backup file name.
- Copy the backup file to the other computer.
- The receiving computer must be readied to receive the CAs keys
and certificates. Installation of the Windows NT Option Pack is a
prerequisite. A Typical installation is recommended. After this is
done, start by installing Microsoft Certificate Server based on the
code obtained from the Certificate Server QFE. This is necessary
because a version of Certificate Server must exist that supports
the Restore option of the Certutil command.
NOTE: The Certificate Server QFE is available at the following FTP
site:
ftp.microsoft.com\bussys\iis\iis-public\fixes\usa\certserv
To install the Certificate Server QFE after downloading the files,
following the directions outlined in:
Q184695
: Readme Notes for Certificate Server Update
- Make sure that the values used in the Setup dialog boxes for the
newly installed Certificate Server computer are exactly the same
as those for the Certificate Server computer from which the keys
and certificates were obtained. This applies to the dialog box on
which identifying information is entered, and the dialog box on
which the Advanced Configuration is specified.
- Restore the keys and certificates:
C:\>certutil -restore yourpswd a:\yourcertfile
- Restore keys and certificates for CA_YOURCANAME from a:\certfile.
CA_YOURCANAME in this example is also the name of the CA on the new
Certificate Server computer that will eventually receive these keys and
certificates.
- Move the existing certificate files created during initial
installation of Certificate Server out of the shared folder, so that
no certificate files exist in the shared folder. For example, if the
new computer to which the CA is to be restored is named M2, then
the certificate files would be named M2_YOURCANAME.crt and
M2_YOURCANAME_Exchange.crt.
- Uninstall and reinstall Certificate Server. Do this using QFE
distribution files and the command-line install utility. In the
following example, the QFE files for Certificate Server are stored
in the directory C:\certqfe:
C:\>CD C:\Certqfe
C:\>SYSOCMGR /i:Certmast.inf /n
This starts the Setup utility for uninstall. When the Select
Components dialog box is displayed, the Certificate Server check
box will be selected. Clear it and click Next. After the
installation is complete, reinstall Certificate Server, this time
using the restored keys and certificates.
C:\>CD C:\Certqfe
C:\>SYSOCMGR /i:Certmast.inf /n
- When the Select Components dialog box appears, the Certificate
Server check box is not selected. Select it, and then click Next.
- In the first Microsoft Certificate Server Setup dialog box, type
the name of the shared folder on the new computer
(and where you previously copied the certificate files). Also,
check the Show Advanced Configuration check box. Click Next.
- In the second Microsoft Certificate Server Setup dialog box,
select the Use Existing Keys check box. Select the entry in the
list box corresponding to your CA name. Click Next.
- In the third Microsoft Certificate Server Setup dialog box,
type a description.
NOTE: The only configuration choice available in this step is the
CA description.
After you enter a description, click Next.
- Setup now continues and finishes. After Setup is completed, you
must reset the CA. You can do this by either restarting the computer
or typing the following command at a command prompt:
C:\>NET START CERTSVC
After you complete the above steps, your restored CA is now available. To
use the CA in Internet Information Server, make sure the World Wide Web
Publishing Service is also started.
Service Pack 4 Enhancements:
certutil -backup
This command backs up the CA private and public keys for the signing and
exchange certificates from the CA_CAName cert store and the CAName
HKEY_LOCAL_MACHINE key container, as well as the certificates themselves,
into a PFX file.
certutil -restore
This command restores the keys and certificates from a PFX file into the
registry into the CA_CAName cert store and the CAName HKEY_LOCAL_MACHINE
key container.
This allows the backup of the keys, which was not supported in the initial
release of the Windows NT Option Pack. With the advent of Service Pack 4,
if a server fails, a new server can be installed with the same computer
name. The old CA keys can be restored onto the new computer, and the
Certificate Server reinstalled, using the Advance dialog during the
installation to reuse the keys and certificates. After installation, use
Certutil.exe to accomplish backup and restore of the Certificate Server's
database file, and the Certificate Server's configuration is restored.
NOTE: Installing Certificate Server is necessary to obtain Certutil.exe ,
and Certutil.exe is necessary to restore backup keys; therefore, you must
install a temporary Certificate Server to restore the keys to a new
computer's registry. After you restore the backup keys, uninstall and
reinstall to reuse the restored keys.
Keywords :
Version : WINNT:1.0
Platform : winnt
Issue type : kbhowto
|