Backing up Windows Server 2008 ADCS CA Keys

[EDIT 2/20/2012] This problem has recently been resovled in a hotfix update. System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2 –



Backing up a Windows Server 2008 (Including 2008 R2) Certification Authority (ADCS) involves a few extra steps compared to earlier versions of Windows. Windows Server 2008 incorporates a change to how the underlying private key store is maintained and linked in the file system. The private key is now stored in the hidden folder structure “%systemdrive%\ProgramData\Microsoft\Crypto\Keys” which is linked and accessible via “%systemdrive%\users\all users\microsoft\crypto\keys”. As a result of this change, System State Backups will no longer include the ADCS private keys. It is recommended that the CA keys are backed up to ensure you can properly recover a failed Certification Authority or to migrate to a new computer. In addition to regular System State Backups, we recommend you back up the CA keys using one of the following methods:

  • From a command prompt on the Certification Authority, perform a full CA backup by using the command certutil –backupKey <destination folder>. You will be prompted for a password to assign to the CA key p12 file.
  • By using the Certification Authority Administrative Tool MMC, right click the CA, All Tasks, Backup CA. The wizard will prompt you to select the Private Key to back up and a password to assign to the key.

In either case, the p12 file that is created is the life-blood of the Certification Authority. It should be kept in a secure and controlled location as access to the p12 file and associated password could enable unauthorized users to create and utilize certificates in your environment. This is the same security requirement prior to Windows Server 2008 System State Backups, as they contained the private key material as well. The CA keys should be backed up anytime the CA keys are renewed or reissued.

EDITED 8/19/2010: Clarified that this applies to both Windows Server 2008 and 2008 R2.


Comments (8)

  1. Anonymous says:

    The private key is usually not stored by a Certification Authority for an issued certificate (unless Key Recovery is implemented). So any certificate you export from the CA will NOT contain the private key unless you are explicity performing a Key Recovery. To get a certificate exported from the CA with a command line only approach, you can perform the following steps:

    1) Locate the requestID in the database or find another distinguishing attribute (Serial Number, etc…)

    2) Run the following two commands. The first exports the certificate in a raw format, the second decodes it into an X509 certificate.

    certutil –view –restrict RequestId=<ID FROM STEP1> –out RawCertificate > RequestCert.txt

    certutil –decode RequestCert.txt Certificate.cer

    If you are using another attribute other than RequestID, the -restrict statement should be changed to the appropriate attribute and value.

  2. Anonymous says:

    No, an additional backup is not required. Using "AllCritical" includes all critical drives, including the Operating System drive. The private keys are stored on the Operating System drive. For more information on "AllCritical", refer to…/deciding-between-system-state-backup-and-allcritical-backup-in-windows-server-2008.aspx.

  3. Anonymous says:

    Yes. The Snapshot will be a full backup of the guest operating system and will then give you all the files you need. The downside is the recovery is more difficult if you want to restore just certificate services and not the entire snapshot.

  4. Lakshmi says:

    This may be very trivial, how can i export only the certificate and not the private key of a issued certificate from the CA via command line. e.g a DC certificate.

  5. Yves says:

    We are using Windows Server Backup on Windows Server 2008 with the option -allcritical. Is it still necessary to backup the CA keys seperately?

  6. JayM says:

    In regards to hosting CAs on VMs. Would a Snapshot of the current state of a VM be a suitable backup option?

  7. Anonymous says:

    That’s a tricky point that can lead to serious problems. How can you restore ADCS database if you do

  8. Amit says:

    Whether Issuing CA also have private keys and hence we need to apply the patch specified above