Backup and restore - Uwe Gradenegger

Checking the integrity of backups of the certification authority database

Within the framework of the creation of a Backup of a certification authority The question may arise as to how to ensure that the integrity of the certification authority database backup is guaranteed so that it can be properly restored can be.

The Certification Authority database is available in a Microsoft JET Blue database engine (also known as Extensible Storage Engine, ESE). Their working and backup files have the extension .edb and can be created with the operating system tool esentutl be managed.

Restoring certificates from the SMTP Exit Module data

If you restore a certification authority from a backup after a disaster has occurred, you will probably find that certificates were issued in the period between the last backup and the system failure with corresponding data loss.

These certificates are now not stored in the restored certificate authority database, so they cannot be restored if needed.

If you are using the SMTP Exit Module, you can at least determine the serial numbers of the certificates from the sent e-mails and revoke them.

Restoring a certification authority from backup

The following describes how to restore a certification authority from backup. In addition to the disaster case, this procedure is also part of the Migration of a certification authority to a new server.

Restoration of a Certification Authority Certificate with Hardware Security Module (HSM)

The following describes how to restore a certificate authority certificate with software key.

Restoring the certification authority certificate may be necessary for the following reasons:

Restoration of a certification authority certificate with software key

The following describes how to restore a certificate authority certificate with software key.

Restoring the certification authority certificate may be necessary for the following reasons:

Create a backup of a certification authority

Professional operation of a Certification Authority also includes the regular creation of backups.

The following describes which components need to be backed up and the associated procedure.

Create a backup of the private key of a certification authority

To a Securing a Certification Authority also includes the backup of the private key material. The backup of the private key material is deliberately described separately, since this should be done separately and its backups should also be stored separately from those of the certification authority.

Perform emergency signing of certificate revocation lists

The most important component of a PKI in terms of availability is not the certification authority, as is often assumed, but the revocation list distribution points. If a certification authority is unavailable, initially no new certificates can be issued, but the certificates already issued can continue to be used without hindrance as long as their revocation status can be verified. In addition to the pure availability of the revocation list distribution points, the revocation information must of course also be valid in terms of its signature. Revocation lists have a defined expiration date after which they can no longer be used. If a certification authority has now failed, it can also no longer publish new revocation lists. The process of emergency signing of revocation lists is provided for this case.