Hi, I login to Certificate Authority to backup each individual clients certificate. I follow the steps below it take me the wizard, but doesn't give any options to backup public/private key. Does it automatic backup public/private automatically or how can I verify? If I were to backup the whole Servers, there will be an option. Is there a way to backup the clients certificate that include public/private key? Please advise. My Server Info: Windows 2008 R2 1. Login to CA Server 2. Go to Certificates, Right click on the certificate and then click Properties. 3. Click the Details tab, and then click Copy to File. 4.Follow the wizard to export it. Thx Tim

To back up a CA by using the Certification Authority snap-in Open the Certification Authority snap-in. In the console tree, click the name of the CA. On the Action menu, point to All Tasks, and click Back Up CA. Follow the instructions in the CA Backup Wizard. You can also back up a CA by using the Certutil command-line tool. You must be a CA administrator or a member of the Backup Operators group, or equivalent, to complete this procedure. Ref: http://technet.microsoft.com/en-us/library/cc725565.aspx~Santosh

Hi , I want to backup just the clients certificate with public/private key? For the CA Server backup, I know how. Please advise. Thx Angkor

As far as I know, You can only backup the private key by right clicking the CA and selecting "Backup". You only have to do this once in a lifetime of the certificate. As long as you keep the key in a safe place, you should be fine with it. If you want to backup the CA database, then you can create a scheduled task using certutil command. ~Santosh

Hi, Thx for your respond. Let say we have one user pc crashed and didn't have a backup on the client machine, if u backup the whole CA server, every certificate will be restore. I just want individutal certificate only so we can don't have to restore the whole certificate. I was able to backup individuals just fine, but not sure if it backup public/private key also. Do u know if that possible ?

Certificates can be distributed without the client even being noticing that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users. This feature is called as Certificate Autoenrollment. So, if you configure Autoenrollment feature, no need to worry about a single pc crash. Please refer the article below which talks about Configuration of Certificate Autoenrollment http://technet.microsoft.com/en-us/library/cc731522.aspx~Santosh

For Certificate queries, best forum to discuss. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Thanks

Hi Santosh, Thx for the info.

Thx for the link. I still cannot find how to backup invididual clients certificate to include private/public key from CA Server. If you have that info please let mme know. Thx

For Certificate queries, best forum to discuss. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Thanks

Please have a look at following thread which might help you... Export Certificate with Private Key from CA Management MMC Also, individual certificates and private keys can be exported from a client machines. Import or export certificates and private keys ( Win vista and Win 7 ) Importing and exporting certificates ( win XP ) ~Santosh

Hi Santosh, Thanks for your quick respond. I have the following questions: The following scenarios are under in the same domain 1. If the same user requests a certificate from CA in different PCs or devices, does those certificate the same? 2. If a user use the certificate in one of the PC encrypted a mail, could the user use second PC to open the encrypted mail? The second PC also get a certificate from the same CA directly. 3. What is the major feature included in CA autoenrollment? 4. How can re-open the encrypted mail if the PC crash?

Sorry, I was away for a while so couldn't reply immediately. Here are the answers for your questions. 1. If the same user requests a certificate from CA in different PCs or devices, does those certificate the same? Yes, certificates should be the same as user is requesting the certificate from the same CA. 2. If a user use the certificate in one of the PC encrypted a mail, could the user use second PC to open the encrypted mail? The second PC also get a certificate from the same CA directly. The certificates used to encrypt/decrypt the messages on first PC should be installed on second pc as well. Please have a look at following article to understand how do E-mail certificates work. https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=223 3. What is the major feature included in CA autoenrollment? Please go through following wiki article to know more about it. Active Directory Certificate Services (AD CS) Overview http://social.technet.microsoft.com/wiki/contents/articles/1137.aspx 4. How can re-open the encrypted mail if the PC crash? The certificates used to decrypt the messages must be reinstalled. If the initial certificate was obtained from the CA, then a new copy of it should be available there as well. Hope that helps ~Santosh

hi Santosh, Thx for answering my questions and much appreciated. I will check my team if they have any other questions. Thx

Hi Santosh, I'm still having problem sent E-mail after I had my auto enrollment configured from your instruction. I got an error message when I sent a test mail to itself, or user 2 or user 3. The error message is below: Outlook Web App couldn't find your digital ID for encryption. If our digital ID is on a smart card insert the card in the card read, insert the card in the card reader, and then try to send the message again. You can also try sending the messsage unencrypted. Here what I have done. 1. Login to test User 1 on Workstation 1 , check certificate is already installed in IE. I also login to CA Server and verfied in certificate manager is already issued correctly. I also test using test2 and test 3 still got the same issue. 2. Sent a test mail to test@domian.com .. Got that error right away. 3. I verified two templates already created is Basic EFS and CEP Encrytion and permission already set READ and AUTOENROLL. 4. I tried uinstall/Re-install S/MIME. If I unchecked both box I can sent , but not encrypted. I confirmed there only one checkbox that is the top. Please le me know is there anything missing or configure. Thanks for your help.

Any update on this? Thx

Please refer following articles Sending Encrypted and Digitally Signed E-Mail http://help.outlook.com/en-us/140/bb899559.aspx Receiving Encrypted and Digitally Signed E-Mail http://help.outlook.com/en-us/140/bb899565.aspx S/MIME Tab http://help.outlook.com/en-us/140/bb899598.aspx If nothing helps, then I would suggest you to post a new question in Outlook Forum Outlook IT Pro Discussions http://social.technet.microsoft.com/Forums/en/outlook/threads Thanks ~Santosh

Hi Santosh, I follow that link, but it doesn't mention anything if I need to create a template in CA Server. For the clients side, I'm using OWA to test, not Outlook. Do you have a documents for the CA Server side template what it need to Encrypt Exchange E-mail? Thx Angkor

Obtain a Server Certificate from a Certification Authority http://technet.microsoft.com/en-us/library/bb125165.aspx Also, I have noticed that, multiple different questions have been asked in a single thread and most of the answers were also appears to be correct but you are not satisfied at all !!! For OWA, Outlook, CA and Exchange etc... there are dedicated forums. I would suggest you to segregate your questions and ask individual questions in appropriate forums. Please do a internet search to get the URLs of those forums ! Thanks, Being Human

Hi bean human, I posted my questions there but no one had respond yet. Santosh, provided very good details and it is very helpful. The last link Santosh provided doesn't tell about what template does the CA Server use. The only problems I need to know what requirements in CA Server template does it need to create? I have Windows 2008 R2 Server CA which already joined to AD. I will post again to see to see if anyone respond. Thx