Backing up Windows Server 2008 ADCS CA Keys

[EDIT 2/20/2012] This problem has recently been resovled in a hotfix update. System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2 - https://support.microsoft.com/kb/2603469

 

 

Backing up a Windows Server 2008 (Including 2008 R2) Certification Authority (ADCS) involves a few extra steps compared to earlier versions of Windows. Windows Server 2008 incorporates a change to how the underlying private key store is maintained and linked in the file system. The private key is now stored in the hidden folder structure "%systemdrive%\ProgramData\Microsoft\Crypto\Keys" which is linked and accessible via "%systemdrive%\users\all users\microsoft\crypto\keys". As a result of this change, System State Backups will no longer include the ADCS private keys. It is recommended that the CA keys are backed up to ensure you can properly recover a failed Certification Authority or to migrate to a new computer. In addition to regular System State Backups, we recommend you back up the CA keys using one of the following methods:

  • From a command prompt on the Certification Authority, perform a full CA backup by using the command certutil –backupKey <destination folder> . You will be prompted for a password to assign to the CA key p12 file.
  • By using the Certification Authority Administrative Tool MMC, right click the CA, All Tasks, Backup CA. The wizard will prompt you to select the Private Key to back up and a password to assign to the key.

In either case, the p12 file that is created is the life-blood of the Certification Authority. It should be kept in a secure and controlled location as access to the p12 file and associated password could enable unauthorized users to create and utilize certificates in your environment. This is the same security requirement prior to Windows Server 2008 System State Backups, as they contained the private key material as well. The CA keys should be backed up anytime the CA keys are renewed or reissued.

EDITED 8/19/2010: Clarified that this applies to both Windows Server 2008 and 2008 R2.