Crash-proofing the Enterprise Root CA

by Shijaz Abdulla on 08.04.2008 at 07:24

Your enterprise root CA is an important piece of your enterprise network. Especially if you issue a lot of certificates for a wide variety of purposes to your users.

A root CA also needs to be highly secured, both physically and over the network, because it contains the private key. A downtime on the root CA is seldom noticed because there is minimal need for using the server – except while issuing or renewing certificates. In fact, the Microsoft best practice is to power down your root CA when not in use.

Now, what to do if your enterprise root CA crashes? Information about the enterprise root CA is written on the Active directory, in the registry of the Windows Server hosting the CA, and most important of all, the private key is also stored on this machine.

Quite obviously, In the event of a total failure, a backup is required. Taking a backup of the root CA is often neglected. Believe me, it takes virtually no time to take a backup and it’s the only way to restore your CA with all private keys intact.

Microsoft KB Article 298138 explains how you can backup your CA and move it to separate hardware. The procedure is also applicable if the hardware running your root CA crashes totally and you want to set up the same CA on a new server hardware.

In this post, I will explain how you can automate a backup of the CA. Restoration can be done as per the article mentioned above. Write a script “backupCA.bat” with the following code:

certutil -backup D:backup
certutil -backupkey D:backup
certutil -backupdb D:backup
reg export HKLMSYSTEMCurrentControlSetServicesCertSvcConfiguration D:backupregbackup.reg

Make sure the D:backup folder is picked up by your centralized tape backup solution. Be extra careful with the tape because this contains the private key of your CA. Your organization should have the handling of tapes included in the security policy.
Next posts >