Restoring Certificate Services database and recovering private keys
I’d like to know if anything can be done about certificates that have been issued after the last backup of the certificate database in the event that the database needs to be restored. (i.e. the certificates will not be in the restored database because they were issued after the backup.) We're running AD CS. Here’s a scenario: · Backup of our certificate database happens at 04:00 · John is issued a USER certificate (with the key archived so that it can be recovered) at 08:00 · Mary sends John an encrypted email at 10:00 – John reads the email · The server that issued John’s USER certificate has an unrecoverable hard drive failure at 12:00 (the server can be rebuilt with the CA key and the database restored) · After the restore, John’s USER certificate is no longer in the database; therefore the key cannot be recovered (with certutil.exe) in the event that John accidentally deletes/corrupts his USER certificate Given this scenario, I’ve got a couple of questions... 1. Is there any way to determine who/what has been issued a certificate after the last backup? 2. If the GPO is configured to “Renew expired certificates, update pending certificates, and remove revoked certificates”, will John’s USER certificate be automatically updated when it expires (even though it isn't in the restored database)? Background: We’re a 2003 Native Mode Domain (single Forest, single Domain) and we’re installing Certificate Services on two 2008 R2 Enterprise (domain member) servers. We have a Root and Subordinate (Issuing) server. We’re enabling Credential Roaming for our users, who will be largely using XP. Any comments or suggestions will be most welcome...
February 16th, 2010 11:32pm

To determine what was issued, you need to use an Exit module such as the CLM/FIM CM Exit module or WiseKey that writes each certificate that is issued into a SQL database. Once found, you could import their certificate by exporting it at the client computer and importing into the CA database using certutil -importpfxJohn's certificate will still renew if you have enabled autoenrollment for the certificate. There is no dependency on the CA database for the renewal.Brian
Free Windows Admin Tool Kit Click here and download it now
February 16th, 2010 11:44pm

Brian,Thanks for the answer. I appreciate your response and I'll run with it from here. I just needed a little guidance...Joe.
February 17th, 2010 3:56pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics