Using Certutil
The certutil command allows you to automate the backup of the CA in a batch file. The batch file can be scheduled by using the Task Scheduler services.
If you are using a software CSP, ensure that the backup set includes both the CA database and the CA's key pair. To do this, use the following procedure:
1. Open a command prompt.
2. At the command prompt, type net start certsvc to ensure that Certificate Services is running.
3. Create a folder that will contain the results of the manual backup of the CA database—for example, C:\CABackup.
4. At the command prompt, type certutil —backup C:\CABackup and press ENTER.
5. At the command prompt, at the Enter New Password prompt, type a complex password and press ENTER.
6. At the command prompt, at the Confirm New Password Prompt, type the same password again and press ENTER.
7. When the backup is complete, ensure there are no error messages and close the command prompt.
You are providing a password to protect the PKCS #12 file containing the CA's key pair. To create a successful backup of the private key, you must be a local administrator of the computer; to create the backup of the CA database, you can only hold the Common Criteria role of backup operator. In other words, you can only run this command successfully if Common Criteria role separation is not enforced.
If Common Criteria role separation is enforced, you can separate the two backups by running two certutil commands.
To backup only the CA database, a backup operator can use the -backupdb option, as shown here:
1. Open a command prompt.
2. At the command prompt, type net start certsvc to ensure that Certificate Services is running.
3. Create a folder that will contain the results of the manual backup of the CA database—for example, C:\CABackup.
4. At the command prompt, type certutil —backupdb C:\CABackup and press ENTER.
5. When the backup is complete, ensure there are no error messages and close the command prompt.
Likewise, if you are a local administrator and only want to backup the CA's key pair, you can use the -backupkey option to backup the CA's private key and public key to a PKCS #12 file.
1. Open a command prompt.
2. At the command prompt, type net start certsvc to ensure that Certificate Services is running.
3. Create a folder that will contain the results of the manual backup of the CA database—for example, C:\CABackup.
4. At the command prompt, type certutil -backupkey C:\CABackup and press ENTER.
5. At the command prompt, at the Enter New Password prompt, type a complex password and press ENTER.
6. At the command prompt, at the Confirm New Password prompt, type the same password and press ENTER.
7. When the backup is complete, ensure there are no error messages and close the command prompt.
Post a comment