Certification Authority Backup Script

This PowerShell script is designed to back up a Certification Authority (CA), including both Root CA and Issuing CA.

Download Script

Backup Components

Database

Private key backup

CA Policy File

Configuration Registry Hive

Certificates

Templates details for Issuing CA

Pre-requisites

PKI Health Check:

Use the built-in PKI View tool (pkiview.msc) to examine the health of your Certificate Authority and certificate chain.

Administrative Privileges:

Run the script with administrator rights in PowerShell. This is necessary to access and modify system resources required for the backup process.

Windows Server with Certificate Services Role:

Ensure the machine has the Certificate Services role installed and configured.
This script is designed for Windows Server machines with an active CA role.

CertificateAuthority.Config COM Object:

Verify the presence of the CertificateAuthority.Config COM object on your system.
This object is typically available on Windows Server with the Certificate Services role installed.

Secure Password Storage:

A secure method for storing the private key backup password is required. Here are two options:

User Input: The script can be modified to prompt the user for the password during execution. This avoids storing the password directly in the script.
Windows Credential Manager: Utilize the Windows Credential Manager to store the password securely. The script can then retrieve the password from the manager using appropriate cmdlets.

Script Variables:

Review and adjust script variables according to your environment (e.g., backup paths).
These variables define locations for storing backup files and other script configurations.

Hardware Security Module Integration (Optional):

This script can be optionally extended to support Hardware Security Module (HSM) integration.

Additional Prerequisites (HSM):

HSM Compatibility: Ensure your HSM vendor provides a compatible driver or integration software for Windows and interacts with the Certificate Services role. Popular HSM vendors include Thales Luna, Utimaco, and nCipher.
HSM Configuration: Verify a successful connection between the HSM and the CA according to your vendor’s specific instructions. This may involve configuration steps on both the HSM and the CA server.
HSM Credentials: Confirm the availability of any necessary credentials or access cards required for HSM operations as defined by your vendor.
Check for Admin card set (ACS) and Operational card set (OCS).

Note: If you are not using an HSM for private key storage, you can disregard this optional section. The script will function by retrieving the private key from the local Windows storage.

Important: HSM configuration and integration can vary significantly between vendors. Consult your HSM vendor’s documentation for specific instructions.

Script Flow Description

The script creates a timestamped destination folder (e.g., CABackup_$timestamp) within a main directory named CABackup. This simplifies tracking backed-up data. Output directory examples at different timestamps:

C:\CAbackup\CABackup_13-May-2019-04_38_20
C:\CABackup\CABackup_13-May-2019-04_49_09

Detailed Backup Procedures

Private Key Backup

The script retrieves the private key of the Certificate Authority (CA) and stores it securely in a backup file. This backup is crucial for disaster recovery purposes.

Important Note: This script assumes the private key is stored locally on the Windows machine. If you’re using a Hardware Security Module (HSM) for private key storage, refer to the optional HSM integration section for specific instructions.

Hardware Security Module (HSM) Integration:

While the general backup process might involve similar principles across different HSM vendors, the specific techniques and tools used will vary. Here’s a basic overview for some common HSM vendors:

NCipher:
- The script checks for the existence of the nfast service and verifies if it’s running.
- If the service is running, the script searches for the local folder at C:\ProgramData\nCipher\Key Management Data and backs it up to the automatically created destination folder (C:\CABackup).
Thales Luna (formerly Gemalto LunaSafe):
- Thales Luna provides the Luna Command Line Interface (Luna CLI) or the HSM Management Console for key management tasks. Refer to Thales’ documentation for specific steps on backing up private keys stored on a Luna HSM using these tools.
Utimaco:
- Utimaco offers the Utimaco Crypto Command Line Interface (Utimaco CLI) or the Management Console for HSM administration. Utimaco’s documentation will detail the process for backing up private keys stored within a Utimaco HSM using these tools.

Database Backup

The script utilizes the Backup-DatabaseAndLogs function to create a comprehensive backup of the Certificate Authority (CA) infrastructure. This backup includes:

CA Database: The script utilizes the certutil command to back up the critical CA database that stores certificate information and configuration settings.
Private Key: The script also backs up the private key of the CA, essential for signing certificates. The private key is secured using a password provided during script execution.

Important Note: Ensure the password used for private key protection is stored securely following the best practices outlined in the prerequisites section (e.g., Windows Credential Manager).

Configuration Registry Key Export

The script retrieves the configuration settings for the Certificate Services role by exporting a specific registry key:

Key Path:
HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
Export Location: The script exports the key and its subkeys to a file named CA_regedir_CertSvcConfiguration.reg within the provided backup path ($Path).

Importance of Configuration Backup:

Backing up this registry key captures the configuration settings for your Certificate Services role. These settings might include:

CA validity period
Allowed certificate types
Cryptographic algorithms used
CRL and OCSP configuration

Having a backup of these settings can be helpful for:

Restoring the configuration after a system failure
Migrating the CA role to a new server
Troubleshooting CA operation issues

The script includes a function called Backup-CAPolicy that takes care of locating and copying the CAPolicy.inf file to your designated backup location. This file plays a crucial role in defining various policies for your Certificate Authority (CA)

Importance of CAPolicy.inf Backup:

The CAPolicy.inf file defines various policies governing the behavior of your Certificate Authority (CA). These policies might include:

Certificate validity periods
Allowed certificate types (e.g., Server certificates, Client certificates)
Renewal settings
Duplicate certificate handling

Having a backup of CAPolicy.inf can be beneficial for:

Restoring the CA configuration if the original file is corrupted or accidentally modified.
Migrating the CA role to a new server and replicating the policy settings.
Analyzing the configuration for potential security improvements.

CA Certificates & Certificates Chain Backup

The script retrieves and exports certificates using piped PowerShell commands:

PowerShell

“certutil -ca.cert c:\CABackup\cacert.cer” | cmd
“certutil -ca.chain C:\CABackup\cachain.p7b” | cmd

Benefits of Backing Up Certificates and Chain

Having a secure backup of these certificates is crucial for:

Disaster Recovery: If the originals are lost or corrupted, you can restore them from the backup.
Migration: When migrating your CA to a new server, the backup ensures a smooth transition while maintaining trust relationships.

Steps to Execute the Script
Steps to Backup Using Task Scheduler

Ensure that we have this script ‐> CABackupHSM-nCipher.ps1 in C:\Scripts folder(or the directory where you have your .ps1 script).
Go to the Start Menu ‐> Type cmd to go to the Command prompt and ensure to run as administrator(by right clicking).
Then go to the directory where the script is residing (here its in, C:\Scripts)
Then to run powershell script on command prompt, type C:\Scripts>powershell .\ CABackupHSM-nCipher.ps1

Note: In case of Luna replace CABackupHSM-nCipher.ps1 with CABackupScript.ps1

Step 1: Create a New Task in Task Scheduler

Open Run (or press CTRL + R) and type “taskschd.msc” and press OK.
Navigate to Task Scheduler Library > Events Monitor (create a new folder if not available)
Right-click on Events Monitor and select “Create Task…”

Step 2: Configure Task Settings

In the “General” tab, enter Name, Description for the task.
Enter a name for the task (e.g., “CA Backup”).
Choose “Run whether the user is logged on or not”.
Select “Run with highest privileges”.
Configure for “Windows Server 2022”.
In the “Triggers” tab, click “New…”, choose “Begin the task:” as “On a schedule”, and under “Settings”, select “Daily”. Click on “Set settings…”
In the “Daily” settings window, set “Start time:” to 10:00 PM. Ensure “Recur every 1 day” is selected. You can leave the remaining options unchanged unless you have specific requirements (e.g., delaying the start time after logon). Click “OK” to close the “Daily” settings window, and then click “OK” again to create the new trigger.
In the “Actions” tab, click “New…”. In the “Action” field, select “Start a program”. In the “Program/script” field, enter “powershell.exe”. In the “Add arguments (optional)” field, enter -ExecutionPolicy Bypass -File C:\scripts\CABackupHSM-NCipher.ps1 (replace C:\scripts with the actual path where you saved the script). Click “OK”.
In the “Settings” tab, check “Allow the task to be run on demand”, “Run the task as soon as possible after a scheduled start is missed”. Select “If the running task does not end when requested, force it to stop” and “Stop the existing instance”. Click “OK”.