Certificate Server Does Not Create Backups of Installed Keys

This article was previously published under Q216922
This article has been archived. It is offered "as is" and will no longer be updated.
SUMMARY
Certificate Server does not create backups of installed keys. If you intend to use thecertificate to encrypt persistent data such as e-mail, then you shouldensure that some form of back up protects the private key for that certificate.If the key is unprotected, and is subsequently unavailable, then youwill be unable to decrypt data encrypted with the certificate.
MORE INFORMATION
The functions of a Certificate Server can be summarized as follows:
Receive certificate requests.Create certificates from the requests it receives.Distribute or publish certificates.Publish Certificate Revocation Lists (CRLs).
Some applications, which encrypt persistent data such as e-mail, have anadditional requirement to archive private keys of encryptioncertificates. This is to ensure a users access to the data in the eventthat they become unavailable. If that event occurs, the user can request acopy of the private key from the archive. Exchange Advanced Security hasan additional service, the Key Manager Server (KMS), which performs thisrole.

Microsoft CSPs store the private keys in the registry. If Roamingprofiles are used, then the Windows NT infrastructure provides resilience forthe private keys. If Roaming profiles are not available, or a third-partyCSP is used that does not use the registry to store keys, separateprovisions should be made to back up the keys.
Certificate, Back-up, S/MIME
Properties

Article ID: 216922 - Last Review: 01/06/2015 04:23:59 - Revision: 3.1

  • Microsoft Certificate Server 1.0
  • Microsoft Windows NT Server 4.0 Standard Edition
  • kbnosurvey kbarchive kbinfo KB216922
Feedback