First published on TECHNET on Aug 06, 2010
[EDIT 2/20/2012] This problem has recently been resovled in a hotfix update. S ystem state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2 - http://support.microsoft.com/kb/2603469
Backing up a Windows Server 2008 (Including 2008 R2) Certification Authority (ADCS) involves a few extra steps compared to earlier versions of Windows. Windows Server 2008 incorporates a change to how the underlying private key store is maintained and linked in the file system. T he private key is now stored in the hidden folder structure "%systemdrive%\ProgramData\Microsoft\Crypto\Keys" which is linked and accessible via "%systemdrive%\users\all users\microsoft\crypto\keys". As a result of this change, System State Backups will no longer include the ADCS private keys. It is recommended that the CA keys are backed up to ensure you can properly recover a failed Certification Authority or to migrate to a new computer. In addition to regular System State Backups, we recommend you back up the CA keys using one of the following methods:
In either case, the p12 file that is created is the life-blood of the Certification Authority. It should be kept in a secure and controlled location as access to the p12 file and associated password could enable unauthorized users to create and utilize certificates in your environment. This is the same security requirement prior to Windows Server 2008 System State Backups, as they contained the private key material as well. The CA keys should be backed up anytime the CA keys are renewed or reissued.
EDITED 8/19/2010: Clarified that this applies to both Windows Server 2008 and 2008 R2.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.