Restoration of a certification authority certificate with software key

Author Uwe GradeneggerPosted on Categories Backup and restore, Certificate usage, Certification Authority

The following describes how to restore a certificate authority certificate with software key.

Restoring the certification authority certificate may be necessary for the following reasons:

Restoring a certificate authority certificate with Hardware Security Module (HSM) is fundamentally different and is described in the article "Restoration of a Certification Authority Certificate with Hardware Security Module (HSM)" described.

Usually, the backup of the certification authority certificates includes all used certificates of the certification authority in a single file. Should the backup extend to several files, the following steps must be repeated accordingly.

For the recovery of the certification authority certificate, a previously created backup including private key and the corresponding password are required. The backup is usually in PKCS#12 format (.p12, .pfx). On the target computer, open the computer account certificate management console (certlm.msc). Right-click on "Personal", then "All Tasks" - "Import...".

In the next screen, "Next" is clicked.

With "Browse..." the backup file is now selected.

In the following dialog the filter is set to "All Files (*.*) or "Personal Information Exchange (*.pfx, *.p12). The file is then searched for and opened.

Now the next dialog can be called with "Next".

Now the password for the backup file is entered.

When importing the certificate, it is essential to ensure that the private key is marked as exportable to enable future backups. One might be inclined to mark the key as non-exportable for supposed security reasons. However, this is only a pseudo-protection, since the key material can still be used, and export is possible through the relevant tools even if the key is not enabled for export.

The default selection ("Personal") for saving the certificate can be kept.

Click on "Finish" to restore the certificate authority certificate.

If the import was successful, a corresponding message is generated.

The backup of the certification authority certificates includes the entire certificate chain, so the root certification authority certificates may now also be in the "Personal" folder. These can be deleted, since there are no private keys anyway. What is important are the actual certification authority certificates. Whether a private key is present is indicated by the key symbol.

Related links:

en_USEnglish
de_DEDeutsch en_USEnglish