Backup and restore a certificate authority (CA) on Windows Server 2016
- Windows Server
- AD CS
- 29 December 2023 at 09:27 UTC
-
- 3/3
Leave the default database and log locations.
Click on : Configure.
The status "Configuration succeeded" appears.
Click Close.
Click Close.
3.4. Restore your CA backup
Now that your CA has been restored with the same certificate and "public key/private key" pair, you need to restore the backup created earlier to restore the list of issued or revoked certificates, custom certificate templates you had created, revocation lists, ...
To do this, open the "Certification Authority" console and right-click "All Tasks -> Restore CA" on the name of your certification authority.
As the Certification Authority Restore Wizard indicates, Active Directory Certificate Services can't run during CA restore.
Click "Yes" to stop Active Directory Certificate Services.
Active Directory Certificate Services are shutting down.
Once Active Directory Certificate Services are stopped, the Certification Authority Restore Wizard will appear.
Since we have already restored the certificate and the private key of our certification authority, it's unnecessary to check the 1st box.
So, check only the 2nd box (Certificate database and certificate database log) to restore :
- the issued certificates
- the revoked certificates
- the custom certificate templates
- the revocation lists (CRL and CRL delta)
- and more
Next, provide the network path of the shared folder (created earlier) where your CA backup is located.
Click Finish.
After the restore is complete, a warning will appear asking whether you want to restore incremental backups as well or not.
Click Yes to start Active Directory Certificate Services.
Wait while Active Directory Certificate Services starts.
Certificate Services has been started.
If you go to the "Revoked Certificates" folder, you will see that the list of revoked certificates has been restored.
If you right-click "Properties" on "Revoked Certificates", you will see that the revocation lists have also been restored.
If you click on "View CRL" and then go to the "Revocation List" tab, you will see that the list of revoked certificates has been restored.
The list of issued certificates has also been restored.
The list of custom certificate templates has also been restored.
To see the complete list, right-click "Manage" on the "Certificate Templates" folder.
However, note that your authority settings will not be restored automatically.
Hence the interest of using the "CAPolicy.inf" configuration file for the initial configuration of your CA and the "certutil" commands for post-installation configurations to be able to quickly restore the configuration of your CA .
In our case, we had enabled auditing of all events for our CA after it was installed.
As you can see, auditing is no longer enabled, despite our authority backup being restored.
To quickly re-enable auditing on our CA, we'll reuse the same command we used in the past :
Batch
certutil -setreg CA\AuditFilter 127
For the change to take effect in this case, we also need to restart our authority :
Batch
net stop certsvc && net start certsvc
Now, auditing has been re-enabled.
Share this tutorial
To see also
-
Windows Server 8/15/2014
WS 2012 / 2012 R2 - Create an enterprise root CA
-
Windows Server 1/5/2024
WS 2016 - AD CS - Create a recovery agent to recover certificates
-
Windows Server 10/20/2023
WS 2016 - AD CS - Publish CRLs accessible via the web (HTTP)
-
Windows Server 9/15/2023
WS 2016 - AD CS - What is a CA and install an enterprise CA
No comment