Root Certificate Authority Backup Considerations

Introduction:

Microsoft Certificate Authority is an Enterprise PKI solution deployed widely across the different SME /

Enterprise Organizations successfully. Microsoft CA support PKI functionality to support Network stack (

DNS / NPS / Wireless / Routing and Remote Access , Smart Card ) , application authentication such as

ADFS , IIS , RMS etc.. and Device Authentication across the networks.

Designing an PKI infrastructure requires careful understanding on an Organization existing business

requirements and assessment of Infrastructure that meets the PKI solution respectively. PKI design

Architect should understand and assess the PKI requirements and identify the potential software /

application components which can participate using Certificates.

Microsoft CA

Network [Wireless,IPS

EC]

Storage[RMS,DFS]

Servers[Server

communcations]

Clients[Client

authentication]

Applications[IIS,CRM,SAP Sharepoint,

etc]

Internal Corporate Network

Organization Challenges:

Most organizations would not consider to have a failover plan for the software Infrastructure servers

such as Microsoft AD / CA etc.. The reasons may be because of Cost or may be because of inexperienced

design decision which leads to catastrophic results when a specific service fails. In this example, we will

consider Microsoft Certificate Authority.

In the event of Certificate Authority Failure, which may be because of Server shutdown abruptly in

DataCenter or may be Hardware Failure or IT Team hasn’t managed their Certificate Authority since

years, this leads to serious authentication issues when those software / applications relies on Microsoft

Certificate Authority

Bad but Workable Design

PKI Infrastructure

Active Directory Infrastructure

Corporate Servers

CorporateExternal

Proxy Server

From the above design which is still workable solution, there is no failover or High availability of the

Certificate Authority which poses risk of system unable to communicate when they try reaching either

Subordinate CA / Root CA.

PKI design Architect should be responsible in doing proper documentation of the infrastructure post

implementation of CA which includes

a) Active directory Forest infrastructure

b) Active Directory Domain infrastructure

c) Existing CA infrastructure

CA and Subordinate / Child CA infrastructure

Certificate Template definition

Data Paths

CRL and AIA information

CSP

CAPolicy.inf file backed up

d) Provisioning of Certificates to Devices

e) Identity Management

f) Network sites and subnet infrastructure

Once you have recorded the above information, Administrators should design backup solution which

describe the backup procedure and the Restore procedures in the event of Microsoft Certificate

Authority failure.

Recommended Design for a Single Site Infrastructure

PKI Infrastructure

Active Directory Infrastructure

Corporate Servers

CorporateExternal

Proxy ServerCRL

CRL

CRL

CRL

Backup Server

Backup Procedure

For backing up the Certificate Authority and Restoring , follow the below links

http://technet.microsoft.com/en-us/library/cc725565.aspx - Backup

http://technet.microsoft.com/en-us/library/cc753374.aspx - Restore

Infrastructure Solution Tips:

1. One of the Industry Expert written book advises that System State backup can be used

to backup the private keys of CA , but Microsoft has confirmed that System State Backup

will not store Private Keys

2. In the event of CA failure and did not have a backup of the CA, Administrators has to

remove CA entries from Active Directory Domain. This will / may affect the existing

connection , because clients relies on Distribution points and validate the CRL and

checks for “Next Update” , till then the certificate works.

But in the event of decommissioning the CA, any communications will fail.

3. In the event of Root CA failure without no backup , the only recommendation is to build

PKI from scratch.

Note: Subordinate Root CA cannot be upgraded to Root CA.