Protecting Certificate-based Services from Disaster

Bad things happen to good administrators. No matter what one does, hard drives go bad, power supplies burn out, and files get deleted. By keeping these inevitabilities in mind, you can protect yourself from accidental deletion and equipment failures.

Building Fault Tolerance

No single point of failure is a common planning scheme among network administrators. If you have at least two of everything you can afford to lose one without user downtime. Administrators deploying a PKI environment with multiple tiers can deploy several layers of fault tolerance such as the following:

• Clustering essential roles in the CA infrastructure

• Hosting the CA servers in multiple locations

• Network load balancing of the CA enrollment servers

• Maintaining off-line copies of the CA certificates

Planning Backup and Restoration

Administrators have the unenviable role of bringing lost data back from the netherworld or raising servers from the dead. By planning for failure you can create a disaster recovery plan of action and spare server parts and roles.

Tracking changes is important because restoring an old copy of a server can take the company back several weeks if not break the applications altogether.

Perform the following steps when backing up a Certificate Authority:

1. Log on to the system with at least Backup Operator or Certification Authority Administrator privileges.

2. Click Start, Programs, Administrative Tools and double-click Certification Authority.

3. In the console tree, right-click on the name of CA server that you want to back up.

4. Choose All Tasks/Back up CA as shown in Figure 3.4.

   Figure 3.4. Backing up the Certification Authority.