• Install and configure an OCSP responder
• Create an enrollment agent

Leave the default database and log locations.

Click on : Configure.

The status "Configuration succeeded" appears.
Click Close.

Click Close.

3.4. Restore your CA backup

Now that your CA has been restored with the same certificate and "public key/private key" pair, you need to restore the backup created earlier to restore the list of issued or revoked certificates, custom certificate templates you had created, revocation lists, ...

To do this, open the "Certification Authority" console and right-click "All Tasks -> Restore CA" on the name of your certification authority.

As the Certification Authority Restore Wizard indicates, Active Directory Certificate Services can't run during CA restore.
Click "Yes" to stop Active Directory Certificate Services.

Active Directory Certificate Services are shutting down.

Once Active Directory Certificate Services are stopped, the Certification Authority Restore Wizard will appear.

Since we have already restored the certificate and the private key of our certification authority, it's unnecessary to check the 1st box.

So, check only the 2nd box (Certificate database and certificate database log) to restore :

• the issued certificates
• the revoked certificates
• the custom certificate templates
• the revocation lists (CRL and CRL delta)
• and more

Next, provide the network path of the shared folder (created earlier) where your CA backup is located.

Click Finish.

After the restore is complete, a warning will appear asking whether you want to restore incremental backups as well or not.
Click Yes to start Active Directory Certificate Services.

Wait while Active Directory Certificate Services starts.

Certificate Services has been started.

If you go to the "Revoked Certificates" folder, you will see that the list of revoked certificates has been restored.

If you right-click "Properties" on "Revoked Certificates", you will see that the revocation lists have also been restored.

If you click on "View CRL" and then go to the "Revocation List" tab, you will see that the list of revoked certificates has been restored.

The list of issued certificates has also been restored.

The list of custom certificate templates has also been restored.
To see the complete list, right-click "Manage" on the "Certificate Templates" folder.

However, note that your authority settings will not be restored automatically.
Hence the interest of using the "CAPolicy.inf" configuration file for the initial configuration of your CA and the "certutil" commands for post-installation configurations to be able to quickly restore the configuration of your CA .

In our case, we had enabled auditing of all events for our CA after it was installed.
As you can see, auditing is no longer enabled, despite our authority backup being restored.

To quickly re-enable auditing on our CA, we'll reuse the same command we used in the past :

Batch

certutil -setreg CA\AuditFilter 127

For the change to take effect in this case, we also need to restart our authority :

Batch

net stop certsvc && net start certsvc

Now, auditing has been re-enabled.