Backing Up an Organizational CA#

If you have minted a significant number of certificates using your Organizational Certificate Authority, you might want to back up your Organizational Certificate Authority's private key and certificates in case the Organizational CA's host server has an unrecoverable failure. If a failure should occur, you can use the backup file to restore your Organizational CA to any server in the tree that has Certificate Server version 2.21 or higher installed.

NOTE: The ability to back up an Organizational Certificate Authority is only available for Organizational CAs created with Certificate Server version 2.21 or later. In previous versions of Certificate Server, the Organizational CA's private key was created in a way that made exporting it impossible.

The backup file contains the CA's private key, self-signed certificate, public key certificate, and several other certificates necessary for it to operate. This information is stored in PKCS #12 format (also known as PFX).

The Organizational CA should be backed up when it is working properly.

To back up and restore and Organizational CA:#

• Log in to the eDirectory tree as an administrator with the appropriate rights. To view the appopriate rights for this task vrify that you have "Supervisor on the Organizational CA’s object"
• Start ConsoleOne.
• Double-click on the Organization Certificate Authority object.
• Click the Certificates tab.
• Click the down-arrow to see the available certificates.
• Click either the Self-Signed Certificate or the Public Key Certificate. Both certificates are written to the file during the backup operation.
• Click Export. This opens a wizard that helps you export the certificates to a file.
• When asked whether to export the private key, select Yes, then click Next.
• Select the filename and the location for the backup file.
• Specify a password with 6 or more alphanumeric characters to use in encrypting the PFX file.
• Click Next.
• Click Finish.

The encrypted backup file is written to the location specified. It is now ready to be stored in a secure location for emergency use.

IMPORTANT#

The exported file should be put on a diskette or some other form of backup media and stored in a secure place. The password used to encrypt the file should be committed to memory or stored in a safe place to ensure that it is available when needed, but inaccessible to others.

More Information#

There might be more information for this subject on one of the following:

• Edirectory Backup Strategy
• Edirectory Certificate Management
• Exporting The Certificate Authority Certificate
• MovingTheCertificateAuthority
• RestoringTheOrganizationalCA