Backup Certificate Authority Powershell CMD

Securing the certification authority

Backup Certificate Authority

In an emergency, you should have backed up the certification authority manually once or more often and stored it securely in a safe.

The backup of the CA should contain the following information or data.

  • CA database
  • Private key certificate
  • Configuration data from the registry
  • Individual blacklist distribution points (web server or file share)
  • Individual DNS entries
  • Information on the installed services such as CEP or OCSP
  • CAPolicy.inf from the initial installation

The database can be backed up together with the CA's private key either via the GUI or by script.

Secure the certification authority with a CA certificate

When creating a backup, please always assign a complex password.

Certificate database and certificate database log

We can find the required information in the registry under this path. The entire CertSvc key must be exported.

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ CertSvc

Backup CA Registry

The individual blacklist distribution points should be found in the documentation that was created after the initial installation 😉

DNS entries should also be in the documentation, as should the additionally set up services.

We can usually still find CAPolicy.inf under C: \ Windows

Save CAPolicy.inf

Backup of the CA via Powershell

The certification body can also be secured using Powershell or CMD.

These commands either back up the database including the private key, or only the database or only the private key. None of these commands will set a password on the backup.

Backup-CARoleService -Path “C: \ BackupCA”
Backup-CARoleService -Path “C: \ BackupCA” -DatabaseOnly
Backup-CARoleService -Path “C: \ BackupCA” -KeyOnly

Powershell Backup CA

Export the registry settings of the CA.

Invoke-Command {reg import 'HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ CertSvc' C: \ BackupCA \ CertSvc.reg}

or remotely via a secure connection

Invoke-Command -ComputerName SRVSUBCA {reg export 'HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ CertSvc' C: \ BackupCA \ CertSvc.reg} -UseSSL

Back up the Policy.inf
$ Path = “\\ SecureServer \ BackupCA
Copy-Item $ Env: windir \ CAPolicy.inf -Destination $ Path -Force -ErrorActionSilentlyContinue

Backup of the CA via CMD

certutil –backupDB C: \ BackupCA
certutil –backupKey C: \ BackupCA

When saving the key, a password is expected but not forced.

Certutil Backup CA

Optional: The public certificate and the certificate chain

certutil -ca.cert “C: \ BackupCA \ CAcert.cer”
certutil -ca.chain “C: \ BackupCA \ CAchain.p7b”

Backup CA Certificate

Export the registry settings of the CA.

reg export HKLM \ System \ CurrentControlSet \ Services \ CertSvc \ Configuration Configuration.reg

Backup Certificate Configuration Registry

Back up the published certificate templates

certutil -catemplates> “C: \ BackupCA \ CAvorlagen1.txt”
certutil -v -template> C: \ BackupCA \ CAvorlagen2.txt ”

Backup published CA templates

Back up the CAPolicy.inf

copy C: \ Windows \ CAPolicy.inf C: \ BackupCA

Save CAPolicy.inf

Restore the certification authority via CMD

Stop the service

net stop certsvc

Import the database

certutil -f -restoredb C: \ BackupCA

Import the registry key Configuration.reg. If it is a new server, the reg key must be adjusted accordingly.

reg import C: \ BackupCA Configuration.reg

Republish certificate templates. To do this, insert the templates after the +, separated by commas. If you want to withdraw a published template, you replace the + sign with a - sign.

certutil -setcatemplates + CodeSHA256, RDPAuth, Kerberos, Exchange, DCs, WEB, WEBSHA256

If you want to make the templates available again via remote. For me the server is called like the CA.

certutil -config SRVSUBCA \ SRVSUBCA -SetCaTemplates + CodeSHA256, RDPAuth, Kerberos, Exchange, DCs, WEB, WEBSHA256

Restore published certificates

Start the service

net start certsvc

Migration of a certification authority

If you want or have to migrate a CA, you can install the CA role and specify the previously secured private key during installation. Then simply execute the CMD commands to restore.

Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CertFile “C: \ BackupCA \ SRVSUBCA.p12” -CertFilePassword (Read-Host “Backup password” -AsSecureString)


Publish certificate templates again via Powershell

$ templates = “CodeSHA256”, ”RDPAuth”, ”Kerberos”, ”Exchange”, ”DCs”, ”WEB”, ”WEBSHA256”
foreach ($ i in $ templates) {
Add-CATemplate -Name $ i -Force

PKI - Commandline certutil