Information Technology Reference
In-Depth Information
CA servers, issued certificates, and associated private keys are critical components of a network
that depends on a public key infrastructure, so these components must be maintained and pro-
tected against disasters. In addition, key CA administrative roles must be assigned to responsi-
ble, trusted users to carry out the numerous tasks in maintaining a PKI environment.
Starting with Windows Server 2003, Microsoft introduced CA role-based administration,
which limits the PKI tasks a domain administrator account can perform. By default, adminis-
trators can perform all tasks on a CA server. However, after roles have been assigned, adminis-
trators can perform only tasks related to their assigned roles. Whether you use role-based
administration or not, four key roles must be filled to administer a CA and its components:
•
CA Administrator
—Configures and maintains CA servers. This role can assign all other
CA roles and renew the CA certificate. To assign this role, give the selected user the
Manage CA permission in the Security tab of the CA server's Properties dialog box.
•
Certificate Manager
—Approves requests for certificate enrollment and revocation. To
assign this role, give the selected user the Issue and Manage Certificates permission in the
Security tab of the CA server's Properties dialog box.
•
Backup Operator
—Not so much a CA role as an OS right. Members of the local Backup
Operators group or a user who has been assigned the Backup files and directories and
Restore files and directories rights can perform this role.
•
Auditor
—Manages auditing logs. Assigning the Manage auditing and security log right
confers this role on a user.
For more on CA role-based administration, see
http://technet.microsoft.com/
Regular backup of all servers in a network is mandatory. When a full backup or system state
backup is performed on a CA server, the certificate store is backed up along with other data. You
might also want to back up the certificate database on each CA separately. The Active Directory
Certificate Services snap-in in Server Manager includes a simple wizard-based backup utility you
can use to perform backups with the following options:
•
Private key and CA certificate
—Backs up only the local CA's certificate and private key.
•
Certificate database and certificate database log
—Backs up the certificates issued by this
CA. If your certificate database is large, you can choose to perform incremental backups,
which back up only the changes to the database since the last full or incremental backup.
You can also use the Certutil command-line program to back up the CA, and you can auto-
mate the process by using the command in a batch file or script and use Windows Task Scheduler
to perform periodic backups of the CA database.
Like backup, CA restores can be performed with the Active Directory Certificate Services snap-
in or the Certutil program. Before you can restore the CA database, however, the CA service must
be stopped. When you start the CA Restore Wizard, you're prompted to stop the service.
Activity 11-10: Backing Up the CA Server
Time Required:
10 minutes
Objective:
Back up the CA server.
Description:
Your CA server has been up and running and issuing certificates. You realize the
importance of data the CA manages, so you perform a backup of the CA certificate, private key,
and certificate database.
Search WWH ::
Custom Search