Information Technology Reference
In-Depth Information
1. Log on to
Server1XX
as Administrator and open Server Manager, if necessary.
2. First, you need to create a folder for storing the backup. Normally, this folder is on another
server or removable media. For this activity, create a folder named
CABackup
in the root of
the C drive.
3. In the left pane of Server Manager, click to expand the
Roles
node and the
Active Directory
Certificate Services
node.
4. Right-click the CA server node, point to
All Tasks
, and click
Back up CA
to start the
Certification Authority Backup Wizard. Click
Next
in the welcome window.
5. In the Items to Back Up window, click
Private key and CA certificate
and
Certificate data-
base and certificate database log
.
6. Click the
Browse
button next to the Back up to this location text box. In the Browse for
Folder dialog box, navigate to and click the
CABackup
folder you just created, and click
OK
. Click
Next
.
7. In the Password and Confirm password text boxes, type
Password01
, and then click
Next
.
In the Completing the Certification Authority Backup Wizard window, click
Finish
. The
backup begins.
8. Close any open windows, and stay logged on for the next activity.
If a user's private key is lost or damaged, he or she might lose access to systems or docu-
ments. If the key has been used for authentication to a system, a new certificate and key can
be issued. However, if the key was used for applications such as EFS, the user loses access
to encrypted documents. If a Data Recovery Agent has been assigned to the user's docu-
ments, they can be recovered, but Data Recovery Agents should be used only when there's
no hope of the document owner regaining access to the files. By using
key archival
, private
keys can be locked away and then restored if the user's private key is lost. Private keys can
be lost if a user's profile is lost or corrupted or a smart card holding the private key is lost
or damaged.
There are two methods for archiving private keys. Manual archival requires users to export
their keys to a file by using the Certificates snap-in. The file is password-protected, and the pass-
word must be entered to import the key. The certificate the private key is related to must allow
the private key to be exported. The default setting for private key export depends on the type of
certificate template. For example, the default setting on an EFS or User certificate template is to
allow exportation. The default setting on a Computer or IPSec template is to not allow export-
ing the private key.
The procedure for exporting the private key for a certificate is straightforward:
1. Open the Certificates snap-in.
2. Locate the certificate for the key you want to export.
3. Right-click the certificate, point to All Tasks, and click Export.
4. The Certificate Export Wizard walks you through the process.
The Certificate Export Wizard exports the certificate and optionally exports the private key
if allowed. You're prompted to select the format for the certificate export (see Figure 11-18).
However, the only format supported for exporting the private key along with the certificate is
Personal Information Exchange. If only the certificate is exported, other formats are enabled.
You might want to export the certificate without the private key if the certificate is to be used
on another computer or OS or for later recovery if the certificate is lost. To import a certificate
and/or the private key, in the Certificates snap-in, simply right-click the folder where you want
to import the key, point to All Tasks, and click Import. You're asked to supply the password used
when the certificate was exported.
11
Search WWH ::
Custom Search