I've been thinking about the backup and recovery strategy for a CA hierarchy I am designing and have been unable to find the answers to a couple of questions.I have a two-tier hierarchy with a 2K3 offline root CA and two 2K8 R2 enterprise policy/issuing CAs.I plan to take a full system backup, including system state, on a weekly basis along with a system state-only backup on a daily basis.If a server goes down completely, I can restore from the latest full system backup and latest system state backup. However, I wondered if it would be possible to deploy a new server of the same name (same disk partitioning scheme etc), install certificate services, then restore the latest system state backup. I'm only considering this from a speed perspective as new servers can be deployed from an image fairly swiftly. The one problem I see with this approach is the step that requires installing certificate services. Installing it as an enterprise CA would presumably add things into Active Directory. Would it be possible to install certificate services as a stand-alone root and restore system state over the top, to restore the server to its previous state as an enterprise CA?Another question I have is in connection with the certificates issued by a CA between the time of the last system state backup and the time when the CA fails. If the CA is restored to the point of the last backup, I see there is a potential for 'orphaned' certificates to exist. Is this a scenario that could happen? Are these 'orphaned' certificates still considered valid, as I cannot see how the validation process could consider them otherwise? What is considered best practice in this scenario?Steve G

In my environment I additionally backup the following things:1) CA database (using certutil)2) CA keys (as I haven't HSMs)3) registry.When I need to restore CA on new installation I manually install certificate services and import CA keys (from PFX) during role installation. After that I restore CA database and then registry.About 'orphaned' certificates. While they have valid signature they will be considered as valid. The only you cannot do with them — revoke. This issue can be solved in 2 ways:1) manually import them to CA database (so you will need to have these certificates) using 'certutil -importcert'2) use exit module from CLM that immediately writes issued certificates to SQL database, so you will be able to import all 'orphaned' certificates.I never tried 2nd solution (1st only), so I assume that this should work.http://www.sysadmins.lv

Thanks for the reply!Just to clarify what you do when you restore CA on a new installation...when you say you install certificate services and import the CA keys during role installation, do you select to install certificate services as an enterprise CA (if that's what the original CA was) and enter the original CA name etc?Steve G

> do you select to install certificate services as an enterprise CA (if that's what the original CA was) and enter the original CA name etc?At first I select if this will be Enterprise or Standalone CA, then select if this will be root or Subordinate and in the Private Key page there is 2 choices: generate new one or use existing key pair. When you select existing certificate, you will be prompted for existing certificate in local store or import from PFX file. Wizard will construct CA name from selected/imported certificate.http://www.sysadmins.lv