Microsoft KB Archive/185195

= How to use key and certificate backup/restore utility =

Article ID: 185195

Article Last Modified on 3/22/2007

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Certificate Server 1.0

-



This article was previously published under Q185195



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
This article describes how to use the key and certificate backup/restore utility to protect keys and certificates for Microsoft Certificate Server.



MORE INFORMATION
This utility applies specifically to the keys and certificates issued by Certificate Server. This utility is not designed to back up or restore certificates issued to other Certificate Authorities (CAs). This utility does not apply to log and database files used by Microsoft Certificate Server.

Mechanics
The existing certutil command-line utility has been enhanced to include backup and restore options.

The syntax is as follows:

'''certutil -backup

certutil -restore  '''

The value for  is used to secure the. Using the password and file name on the Restore option allows an encrypted file containing keys and certificates to be restored. The file contains the Certificate Authority's private key and certificate encrypted using PFX (PKCS #12). PKCS #12 is a part of the Public Key Cryptography Standards (PKCS) series from RSA Data Security, Inc. It is a standard for securely exporting and importing private material, including private keys.

For more information about RSA Data Security, visit the following Web site:

http://www.rsa.com

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Example 1
The following example demonstrates how the keys and certificates are saved to C:\Backup\Certfile:

C:\>Certutil -backup Pswd C:\Backup\Certfile

In this example, the password is Pswd, and the file containing the encrypted keys and certificates is named Certfile in the directory C:\Backup. To restore the same keys and certificates, use the following:

C:\>Certutil -restore Pswd C:\Backup\Certfile

Example 2
In this example, the keys and certificates for an existing Certificate Server application are backed up from a first computer and restored to a second computer.

Note Microsoft Windows NT Service Pack 6a must be installed on the original Certificate Server before you attempt this. This step is necessary to install the updated version of Certutil.exe.  The administrator enters the backup command from the first computer. The following command backs up the keys and certificates for CA_YOURCANAME to c:\backup\yourcertfile:

C:\>Certutil -backup  c:\backup\ 

Note Be sure to choose your own password and backup file name. Copy the backup file to the other computer. The receiving computer must be readied to receive the CAs keys and certificates. Installation of the Windows NT Option Pack is a prerequisite. A Typical installation is recommended, but all that is necessary is to make sure that Certificate Server is not installed from the original Windows NT Option Pack CD or download location. Instead, an updated version of Microsoft Certificate Server is available on the purchased Windows NT Server Service Pack 6a CD. Alternatively, the updated files are available at the following Microsoft Web site:

ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/certserv

Note The updated version of Certificate Server is required to allow the restore certificate functionality on the new certificate server. To install the Certificate Server QFE after downloading the files, follow the steps in the following Microsoft Knowledge Base article:

184695 Readme notes for Certificate Server update

 Make sure that the values used in the Setup dialog boxes for the newly installed Certificate Server computer are exactly the same as those for the Certificate Server computer from which the keys and certificates were obtained. This applies to the dialog box in which you enter identifying information and the dialog box in which you specify the Advanced Configuration. Restore the keys and certificates:

C:\>certutil -restore  a:\ 

 Restore keys and certificates for CA_YOURCANAME from a:\certfile. CA_YOURCANAME in this example is also the name of the CA on the new Certificate Server computer that will eventually receive these keys and certificates.</li> Move the existing certificate files created during initial installation of Certificate Server out of the shared folder, so that no certificate files exist in the shared folder. For example, if the new computer to which the CA is to be restored is named M2, then the certificate files would be named M2_YOURCANAME.crt and M2_YOURCANAME_Exchange.crt.</li> Uninstall and reinstall Certificate Server. Do this using QFE distribution files and the command-line install utility. In the following example, the QFE files for Certificate Server are stored in the directory C:\certqfe:

'''C:\>CD C:\Certqfe

C:\>SYSOCMGR /i:Certmast.inf /n'''

This step starts the Setup utility for uninstall. When the Select Components dialog box appears, the Certificate Server check box will be selected. Clear it and click Next. After the installation is complete, reinstall Certificate Server, this time using the restored keys and certificates.

'''C:\>CD C:\Certqfe

C:\>SYSOCMGR /i:Certmast.inf /n'''

</li> When the Select Components dialog box appears, the Certificate Server check box is not selected. Select it, and then click Next.</li> In the first Microsoft Certificate Server Setup dialog box, type the name of the shared folder on the new computer (and where you previously copied the certificate files). Also, click to select the Show Advanced Configuration check box. Click Next.</li> In the second Microsoft Certificate Server Setup dialog box, click to select the Use Existing Keys check box. Select the entry in the list box corresponding to your CA name. Click Next.</li> In the third Microsoft Certificate Server Setup dialog box, type a description.

Note The only configuration choice available in this step is the CA description.

After you enter a description, click Next.</li> At the end of Setup, the certificate service is stopped. Before you start the service, manually copy over the Certificate Server database from the original Certificate Server and overwrite the Certificate Server database that was created during installation. By default, the location of the file is %Winnt%\System32\CertLog\Certsrv.mdb.

Note Stop the service on the original computer before you do this.

After the updated database in in place, reapply Windows NT Service Pack 6a to the computer and then restart. If the certificate service does not start after the restart, see the following Knowledge Base articles:

241060 Error message: The Certificate Server did not start: unable to initialize the database connection

217339 Certificate Server fails to start with Event ID 7000 or 7009

Note Installing Certificate Server is necessary to obtain Certutil.exe, and Certutil.exe is necessary to restore backup keys. Therefore, you must install a temporary Certificate Server to restore the keys to a new computer's registry. After you restore the backup keys, uninstall and reinstall to reuse the restored keys. Also, the new certificate server does not have to have the same NetBIOS computer name as the original Certificate Server. If the NetBIOS name is changed to a different name, remember to update the name resolution method used (for example, DNS or WINS) accordingly so that clients can still connect to the server.</li></ol>

After you complete the above steps, your restored CA is now available. To use the CA in Internet Information Server, make sure that the World Wide Web Publishing Service is also started.

certutil -backup
This command backs up the CA private and public keys for the signing and exchange certificates from the CA_CAName cert store and the CAName HKEY_LOCAL_MACHINE key container, as well as the certificates themselves, into a PFX file.

certutil -restore
This command restores the keys and certificates from a PFX file into the registry into the CA_CAName cert store and the CAName HKEY_LOCAL_MACHINE key container.

This allows the backup of the keys, which was not supported in the initial release of the Windows NT Option Pack. With the advent of Service Pack 4, if a server fails, a new server can be installed with the same computer name. The old CA keys can be restored onto the new computer, and the Certificate Server reinstalled, using the Advance dialog during the installation to reuse the keys and certificates. After installation, use Certutil.exe to accomplish backup and restore of the Certificate Server's database file, and the Certificate Server's configuration is restored.

Note Installing Certificate Server is necessary to obtain Certutil.exe, and Certutil.exe is necessary to restore backup keys. Therefore, you must install a temporary Certificate Server to restore the keys to a new computer's registry. After you restore the backup keys, uninstall and reinstall to reuse the restored keys.

Keywords: kbhowto KB185195

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.