How to Use Key and Certificate Backup/Restore Utility

ID: Q185195

The information in this article applies to:
  • Microsoft Internet Information Server version 4.0
  • Microsoft Certificate Server version 1.0

SUMMARY

This document describes how to use the key and certificate backup/restore utility to protect keys and certificates for Microsoft Certificate Server.


MORE INFORMATION

This utility applies specifically to the keys and certificates issued by Certificate Server. This utility is not designed to back up or restore certificates issued to other Certificate Authorities (CAs). This utility does not apply to log and database files used by Microsoft Certificate Server.

Mechanics

The existing certutil command-line utility has been enhanced to include backup and restore options.

The syntax is as follows: 

   certutil -backup <password> <filename>

   certutil -restore <password> <filename>

The value for <password> is used to secure the <filename>. Using the password and file name on the Restore option allows an encrypted file containing keys and certificates to be restored. The file contains the Certificate Authority's private key and certificate encrypted using PFX (PKCS #12). PKCS #12 is a part of the Public Key Cryptography Standards (PKCS) series from RSA Data Security, Inc. It is a standard for securely exporting and importing private material, including private keys.

For additional information about RSA Data Security, please see the following Web page:
http://www.rsa.com

Example 1

The following example demonstrates how the keys and certificates are saved to C:\Backup\Certfile: 

   C:\>Certutil -backup Pswd C:\Backup\Certfile

In this example, the password is Pswd, and the file containing the encrypted keys and certificates is named Certfile in the directory C:\Backup. To restore the same keys and certificates, use the following: 

   C:\>Certutil -restore Pswd C:\Backup\Certfile

Example 2

In this example, the keys and certificates for an existing Certificate Server application are backed up from a first computer and restored to a second computer.
  1. The administrator enters the backup command from the first computer. The following command backs up the keys and certificates for CA_YOURCANAME to c:\backup\yourcertfile:
    
      C:\>Certutil -backup yourpswd c:\backup\yourcertfile
    NOTE: Be sure to choose your own password and backup file name.


  2. Copy the backup file to the other computer.


  3. The receiving computer must be readied to receive the CAs keys and certificates. Installation of the Windows NT Option Pack is a prerequisite. A Typical installation is recommended. After this is done, start by installing Microsoft Certificate Server based on the code obtained from the Certificate Server QFE. This is necessary because a version of Certificate Server must exist that supports the Restore option of the Certutil command.

    NOTE: The Certificate Server QFE is available at the following FTP site:
    
      ftp.microsoft.com\bussys\iis\iis-public\fixes\usa\certserv
    To install the Certificate Server QFE after downloading the files, following the directions outlined in:
    Q184695 : Readme Notes for Certificate Server Update


  4. Make sure that the values used in the Setup dialog boxes for the newly installed Certificate Server computer are exactly the same as those for the Certificate Server computer from which the keys and certificates were obtained. This applies to the dialog box on which identifying information is entered, and the dialog box on which the Advanced Configuration is specified.


  5. Restore the keys and certificates:
    
       C:\>certutil -restore yourpswd a:\yourcertfile


  6. Restore keys and certificates for CA_YOURCANAME from a:\certfile. CA_YOURCANAME in this example is also the name of the CA on the new Certificate Server computer that will eventually receive these keys and certificates.


  7. Move the existing certificate files created during initial installation of Certificate Server out of the shared folder, so that no certificate files exist in the shared folder. For example, if the new computer to which the CA is to be restored is named M2, then the certificate files would be named M2_YOURCANAME.crt and M2_YOURCANAME_Exchange.crt.


  8. Uninstall and reinstall Certificate Server. Do this using QFE distribution files and the command-line install utility. In the following example, the QFE files for Certificate Server are stored in the directory C:\certqfe:
    
      C:\>CD C:\Certqfe

      C:\>SYSOCMGR /i:Certmast.inf /n
    This starts the Setup utility for uninstall. When the Select Components dialog box is displayed, the Certificate Server check box will be selected. Clear it and click Next. After the installation is complete, reinstall Certificate Server, this time using the restored keys and certificates.
    
      C:\>CD C:\Certqfe

      C:\>SYSOCMGR /i:Certmast.inf /n


  9. When the Select Components dialog box appears, the Certificate Server check box is not selected. Select it, and then click Next.


  10. In the first Microsoft Certificate Server Setup dialog box, type the name of the shared folder on the new computer (and where you previously copied the certificate files). Also, check the Show Advanced Configuration check box. Click Next.


  11. In the second Microsoft Certificate Server Setup dialog box, select the Use Existing Keys check box. Select the entry in the list box corresponding to your CA name. Click Next.


  12. In the third Microsoft Certificate Server Setup dialog box, type a description.

    NOTE: The only configuration choice available in this step is the CA description.

    After you enter a description, click Next.


  13. Setup now continues and finishes. After Setup is completed, you must reset the CA. You can do this by either restarting the computer or typing the following command at a command prompt:
    
      C:\>NET START CERTSVC


After you complete the above steps, your restored CA is now available. To use the CA in Internet Information Server, make sure the World Wide Web Publishing Service is also started.

Service Pack 4 Enhancements:

certutil -backup
This command backs up the CA private and public keys for the signing and exchange certificates from the CA_CAName cert store and the CAName HKEY_LOCAL_MACHINE key container, as well as the certificates themselves, into a PFX file.

certutil -restore
This command restores the keys and certificates from a PFX file into the registry into the CA_CAName cert store and the CAName HKEY_LOCAL_MACHINE key container.

This allows the backup of the keys, which was not supported in the initial release of the Windows NT Option Pack. With the advent of Service Pack 4, if a server fails, a new server can be installed with the same computer name. The old CA keys can be restored onto the new computer, and the Certificate Server reinstalled, using the Advance dialog during the installation to reuse the keys and certificates. After installation, use Certutil.exe to accomplish backup and restore of the Certificate Server's database file, and the Certificate Server's configuration is restored.

NOTE: Installing Certificate Server is necessary to obtain Certutil.exe , and Certutil.exe is necessary to restore backup keys; therefore, you must install a temporary Certificate Server to restore the keys to a new computer's registry. After you restore the backup keys, uninstall and reinstall to reuse the restored keys.

Keywords :
Version : WINNT:1.0
Platform : winnt
Issue type : kbhowto


Last Reviewed: April 27, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.