Certificate Server Does Not Create Backups of Installed Keys
Article ID: 216922 - View products that this article applies to.
This article was previously published under Q216922
Certificate Server does not create backups of installed keys. If you intend to use the certificate to encrypt persistent data such as e-mail, then you should ensure that some form of back up protects the private key for that certificate. If the key is unprotected, and is subsequently unavailable, then you will be unable to decrypt data encrypted with the certificate.
The functions of a Certificate Server can be summarized as follows:
Receive certificate requests.Create certificates from the requests it receives.Distribute or publish certificates.Publish Certificate Revocation Lists (CRLs).Some applications, which encrypt persistent data such as e-mail, have an additional requirement to archive private keys of encryption certificates. This is to ensure a users access to the data in the event that they become unavailable. If that event occurs, the user can request a copy of the private key from the archive. Exchange Advanced Security has an additional service, the Key Manager Server (KMS), which performs this role.
Microsoft CSPs store the private keys in the registry. If Roaming profiles are used, then the Windows NT infrastructure provides resilience for the private keys. If Roaming profiles are not available, or a third-party CSP is used that does not use the registry to store keys, separate provisions should be made to back up the keys.