16.2 Maintaining a PKI

In this section we focus on key Windows Server 2003 PKI maintenance tasks: CA backup and restore, rollover, and auditing.

16.2.1 CA backup and restore

As for any other critical component in your IT infrastructure, it is very important to have solid backup-restore procedures for your CA, its configuration, and its database. Windows Server 2003 comes with three tools you can use to back up and restore CA configuration data: the Windows backup and restore wizard, the CA-specific backup and restore utility, and the IIS configuration backup and restore utility.

The Windows backup and restore wizard is available from the Windows Server 2003 Accessories\System Tools start menu option. It can be used to back up the CA data at the file system level listed in Table 16.9, as well as the CA configuration data stored in the system registry and the AD. To back up the registry data, you must check the System State option in the wizard (as illustrated in Figure 16.14).

Figure 16.14: Backing up the system state and CA configuration data using the backup wizard.

The CA-specific backup-restore utility is available from the CA MMC snap-in and from the command prompt (using the certutil utility). The CA-specific backup-restore utility can backup and restore the CA database and the CA private key and certificate, which are exported to a PKCS#12- formatted file. The certutil CA backup and restore-related switches and their meaning are explained in Table 16.10. For more information, type certutil /? at the command line.

Before starting the CA-specific backup utility, make sure you have prepared a separate backup medium or at least a separate folder, different from the CA configuration folder on the CA server. Also, the backup will fail if the folder you are using is not empty. The CA database can be backed up incrementally. An incremental backup can be saved at the same location as a full backup. When doing a CA database, restore from a full backup and a set of incremental backups, and never restart the CA service if not all incremental backups have been restored. If you do so, you will lose all of the changes starting from the last incremental backup you restored.

You can use the IIS configuration backup and restore utility to backup and restore the CA Web enrollment interface configuration settings. To start this utility, open the Internet Information Services Manager, right- click the Web server computer object, and select All Tasks\Backup\Restore Configuration. To back up and restore the CA-related Web directories, you must rely on the Windows backup and restore wizard.

16.2.2 CA rollover

In PKI terminology, CA certificate rollover is the process of generating a new CA certificate. A CA’s certificate may be renewed for different reasons:

• Extend the CA lifetime

• Change the CA’s public-private key pair

• Change the CA’s key size

• Change CA certificate properties

• The CA’s private key has been compromised

• CRL partitioning

To renew a CA certificate, you must run the renew CA certificate wizard (illustrated in Figure 16.15). It is accessible by right-clicking the CA object in the CA MMC snap-in, and selecting All Tasks\Renew CA Certificate. The wizard prompts you to reuse the same key pair or generate a new one. It brings up different dialog boxes depending on whether you are dealing with a root CA or a subordinate CA.

Figure 16.15: Renew CA certificate wizard.

Changing the CA’s key size and other CA certificate properties at CA certificate renewal time can be done by specifying these parameters in a capolicy.inf configuration file and making this file available when the renewal process occurs (as was explained in Chapter 14).

When a new key pair is generated together with CA certificate renewal, the CA will generate a brand-new base CRL the next time the CRL is published. “Brand-new” means that this new CRL will not contain any of the revoked certificates contained in the previous CRL. This makes it possible to partition a CA’s base CRLs because a CRL is signed with a CA’s private key. When the private key is renewed, it will only be used to sign CRLs containing certificates revoked after the key renewal date. As long as the old CA keys are valid, the CA will also keep on publishing their associated CRLs. This explains why after CA certificate and key pair renewal a CA may publish multiple CRLs every time CRL publishing occurs.

Certificate renewal affects the version number of the CA’s certificate, which is stored in a CA certificate’s CA Version extension. Renewal without generating a new key pair will only affect the first part (the part before the dot) of the CA certificate’s version number. Renewing with generating a new key pair will affect the complete CA version number: It will change both the part before and after the dot. Another way to distinguish between renewal and reissuing on the level of the CA certificate properties is the following: Reissuing will generate a new subject key identifier field.

The number of times a CA’s certificate has been renewed and the content of the CA certificates can be seen from the General tab of the CA object’s properties in the CA MMC snap-in (as illustrated in Figure 16.16). In the example of Figure 16.13, the CA certificate was renewed 10 times.

Figure 16.16: CA properties: CA certificates.

16.2.3 CA auditing

Windows Server 2003 PKI comes with interesting new CA auditing capabilities. You can enable auditing for the event groups illustrated in Table16.11. All events are logged into the local system’s security event log. CA auditing depends on object access auditing, which can be enabled from the GPO MMC or Local Security Settings MMC snap-in. To fine-tune CA auditing, go to the auditing tab (illustrated in Figure 16.17) in the properties of the CA object (accessible from the CA MMC snap-in). Table 16.12 shows the most important Certificate Services Event IDs.

Figure 16.17: CA auditing settings.