how to backup Certificate templates

TheMSsForum.com: The Microsoft Software Forum

Hi,

I have backup my sub CA Private Key, CA Cert, Caert Database and Cert DB
log, using CA snap-in, does this backup also include Certificate templates?
If not included, how do I backup? any link in Microsoft for this solution?
Thanks for all replies.
Top

Re: how to backup Certificate templates by Miha

Miha
Wed Nov 02 01:23:26 CST 2005

Hi,

Certificate templates are stored in Active Directory and replicated to all
domain controllers. Unless something happens to your domain controllers they
are safe there. When you do a backup of your Active Directory - certificate
templates are included.

--
Mike
Microsoft MVP - Windows Security

"lbcben" <lbcben@discussions.microsoft.com> wrote in message
news:AB4B1247-44F1-4B6E-AF68-F0876455B7F6@microsoft.com...
> Hi,
>
> I have backup my sub CA Private Key, CA Cert, Caert Database and Cert DB
> log, using CA snap-in, does this backup also include Certificate
> templates?
> If not included, how do I backup? any link in Microsoft for this solution?
> Thanks for all replies.


Top

Re: how to backup Certificate templates by lbcben

lbcben
Wed Nov 02 02:11:01 CST 2005

Hi,

There's nothing wrong with my domain controller, so does it mean that by
performing Sub CA backup using CA snap-in, is sufficient enough.

I'm confusing between using CA snap-in to backup private key AND using
saving registry setting by exporting
HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration

For normal CA snap-in, I ticked Private Keys, CA Certificate Issued Log and
Pending Requests, then I perform registry exporting.

Am I doing double work?..or actually, I just use CA snap-in backup will do?

Please advise
Thanks

"Miha Pihler [MVP]" wrote:

> Hi,
>
> Certificate templates are stored in Active Directory and replicated to all
> domain controllers. Unless something happens to your domain controllers they
> are safe there. When you do a backup of your Active Directory - certificate
> templates are included.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "lbcben" <lbcben@discussions.microsoft.com> wrote in message
> news:AB4B1247-44F1-4B6E-AF68-F0876455B7F6@microsoft.com...
> > Hi,
> >
> > I have backup my sub CA Private Key, CA Cert, Caert Database and Cert DB
> > log, using CA snap-in, does this backup also include Certificate
> > templates?
> > If not included, how do I backup? any link in Microsoft for this solution?
> > Thanks for all replies.
>
>
>
Top

Re: how to backup Certificate templates by Paul

Paul
Wed Nov 02 02:12:04 CST 2005

In article <#smfS533FHA.1420@TK2MSFTNGP09.phx.gbl>, in the
microsoft.public.security news group, Miha Pihler [MVP] <mihap-
news@atlantis.si> says...

> Hi,
>
> Certificate templates are stored in Active Directory and replicated to all
> domain controllers. Unless something happens to your domain controllers they
> are safe there. When you do a backup of your Active Directory - certificate
> templates are included.

However, if you want to simply backup and restore your certificate
templates this can be easily accomplished with an LDIF dump of Public
Key Services\Certificate Templates and Public Key Services\OID.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
Top

Re: how to backup Certificate templates by Paul

Paul
Wed Nov 02 02:23:15 CST 2005

In article <80E88F04-0F09-4052-9EAF-4AF8133E3C7B@microsoft.com>, in the
microsoft.public.security news group, =?Utf-8?B?bGJjYmVu?=
<lbcben@discussions.microsoft.com> says...

> Hi,
>
> There's nothing wrong with my domain controller, so does it mean that by
> performing Sub CA backup using CA snap-in, is sufficient enough.

You only have one domain controller? That's not a good idea even if you
weren't using Certificate Services. You should be performing a system
state backup of your domain controller in addition to your CA backups.
See my other response for backing up the templates independently of AD.

>
> I'm confusing between using CA snap-in to backup private key AND using
> saving registry setting by exporting
> HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
>
> For normal CA snap-in, I ticked Private Keys, CA Certificate Issued Log and
> Pending Requests, then I perform registry exporting.
>
> Am I doing double work?..or actually, I just use CA snap-in backup will do?

No, you're on the right track. Backing up the CA database and private
key through the MMC does not back up the CA registry entries.

You should also be performing a system state backup of your CA which
includes Certificate Services.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erverHelp/b70185ed-93aa-4346-b869-9913282086af.mspx

or

http://tinyurl.com/7az4a


--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
Top