Shulou(Shulou.com)06/02 Report--

CA Backup

Even if you don't plan to migrate CA, you should make a backup of CA. CA backup is different from what we usually do. CA backup needs to be realized through the following steps:

If you are preparing to back up an enterprise CA, click Certificate Template in the CA console and note down the names listed in the certificate template. These templates are stored in the AD domain, so you don't need to backup them. You have to know exactly which templates are being migrated from CA because you have to manually add them after migration.

In the CA console, right-click the CA name, select "All Tasks," and then click "Backup CA" to open the CA Backup Wizard. In the Backup Wizard, you need to select the CA's private key, CA certificate, certificate database, and certificate database log. You can also specify a suitable location for storing the backup content. For security reasons, it is best to set a password to protect the CA private key.

After the backup is complete, you should open Registry Editor and locate and export the following registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration

Note: We recommend saving the exported file for this registry key to a folder in CA backup.

Once you've done that, you'll need to uninstall the CA from the old server and rename or disconnect it from the network once you want to migrate the CA to another computer.

CA reduction

A restore of a CA is usually done when the current CA must be repaired or migrated to another server.

To restore CA, follow these steps:

Install the AD CS role on the target computer. Choose to install a standalone CA or an enterprise CA, depending on the type of CA you want to migrate. When you see the "Specify private key type" page, click "Use existing private key" and select "Select a certificate and use its associated private key" to allow you to continue using the old server's certificate on the new CA server.

On the "Existing Certificate" page, click Import, enter the storage path of the.p12 file generated when backing up the CA, then enter the password set when backing up, and then click OK. When you are prompted for "Public and Private Key Pair," make sure that the existing key is selected. This step is critical if you want to use the same root CA certificate.

When you go to the "Certificate Database" page, specify the same storage location as the old server to store the certificate database and certificate database log. After these steps are completed, click "Configuration" and wait for the installation wizard to complete.

After installation, open the AD CS service plug-in and restore the old server settings.

Locate the registry file exported at backup time and double-click to import it into the registry.

After restoring the registry settings, open the CA administration console, right-click the CA name, click "All Tasks," then click "Restore CA," and the CA restore wizard will appear. In the wizard, you can select "Private Key and CA Certificate" and "Certificate Database and Certificate Database Log," here to specify the object you want to restore. The next step is to enter a backup folder location and verify that the restored settings are OK. "Issue Log" and "Pending Request" in restore settings should be "Display."

When the restore is complete, select Restart AD CS service.

If you are restoring an enterprise CA, you need to make sure that the certificate template saved in the AD domain of the previous record is visible and available on the new CA.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.