Restoration of a certification authority certificate with software key

The following describes how to restore a certificate authority certificate with software key.

Restoring the certification authority certificate may be necessary for the following reasons:

• Restore a certification authority from a backup
• Migration of the certification authority to a new server
• Emergency signing of the blacklists on another computer
  

Restoring a certificate authority certificate with Hardware Security Module (HSM) is fundamentally different and is described in the article "Restoration of a Certification Authority Certificate with Hardware Security Module (HSM)" described.

Usually, the backup of the certification authority certificates includes all used certificates of the certification authority in a single file. Should the backup extend to several files, the following steps must be repeated accordingly.

Implementation

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

For the recovery of the certification authority certificate, a previously created backup including private key and the corresponding password are required. The backup is usually in PKCS#12 format (.p12, .pfx). On the target computer, open the computer account certificate management console (certlm.msc). Right-click on "Personal", then "All Tasks" - "Import...".

In the next screen, "Next" is clicked.

With "Browse..." the backup file is now selected.

In the following dialog the filter is set to "All Files (*.*) or "Personal Information Exchange (*.pfx, *.p12). The file is then searched for and opened.

Now the next dialog can be called with "Next".

Now the password for the backup file is entered.

When importing the certificate, it is essential to ensure that the private key is marked as exportable to enable future backups. One might be inclined to mark the key as non-exportable for supposed security reasons. However, this is only a pseudo-protection, since the key material can still be used, and export is possible through the relevant tools even if the key is not enabled for export.

The default selection ("Personal") for saving the certificate can be kept.

Click on "Finish" to restore the certificate authority certificate.

If the import was successful, a corresponding message is generated.

The backup of the certification authority certificates includes the entire certificate chain, so the root certification authority certificates may now also be in the "Personal" folder. These can be deleted, since there are no private keys anyway. What is important are the actual certification authority certificates. Whether a private key is present is indicated by the key symbol.

Related links:

• Perform emergency signing of certificate revocation lists
• Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to a new server
• Restoring a certification authority from backup
• Create a backup of the private key of a certification authority