Certutil tasks for backing up and restoring certificates

http://technet.microsoft.com/en-us/library/cc755341.aspx

Certutil tasks for backing up and restoring certificates

Certification authorities should be backed up regularly and restored when necessary to provide their services. You
can use certutil to perform these tasks.

To view the syntax for a specific task, click a task:

 To back up Certificate Services

 To back up a CA database

 To back up the CA certificate and keys

 To restore the CA database, certificates, and keys

 To restore the CA database

 To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file

 To dump the CA database schema, for example, column names, types, and max sizes

To back up Certificate Services

Syntax
certutil -backup[-f] [-gmt] [-seconds] [-v] [-configCAMachineName\CAName] [-pPassword]
BackupDirectory[incremental] [keeplog]

Parameters
-backup
Backs up Certificate Services.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
-p Password
Specifies a password.
BackupDirectory
Specifies the backup directory.
incremental
 Implements an incremental backup instead of a full backup.
keeplog
Preserves database log files.
-?
Displays a list of certutil commands.
Remarks

 You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise,

the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

 If you use -config - instead of -config CAComputerName\CAName, the operation is processed using

the default CA.

 With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.

 If you do not specify keeplog, certutil-backup combines the database log files into a single log file that

is retained upon the successful completion of -backup.

 If you do not specify incremental, certutil-backup performs a full backup.

 You can use the -f option to overwrite existing files in BackupDirectory.

Examples
To back up keys and certificates for a CA named EnterpriseCA, type:

certutil –p p@ssw23 f:\Backup2\EnterpriseCA

certutil -p p@ssw23 f:\Backup2\EnterpriseCA incremental

certutil -p p@ssw23 f:\Backup2\EnterpriseCA keeplog

To back up a CA database
Syntax
certutil-backupdb[-f] [-gmt] [-seconds] [-v] [-configCAMachineName\CAName]
BackupDirectory[[incremental] [keeplog]]

Parameters
-backupdb
Backs up the Certificate Services database.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
 processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
BackupDirectory
Specifies the backup directory.
incremental
Implements an incremental backup instead of a full backup.
keeplog
Preserves database log files.
-?
Displays a list of certutil commands.
Remarks

 You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise,

the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

 If you use -config - instead of -config CAComputerName\CAName, the operation is processed using

the default CA.

 You can run this command locally or remotely. The server and the CA must be running. Typically,

administrators use this command to perform infrequent full backups followed by frequent incremental
backups. Each backup must be made into a separate directory tree. Starting with the most recent full
backup, all backups are required to correctly restore the database.

 If you do not specify keeplog, certutil-backup combines the database log files into a single log file that

is retained upon the successful completion of -backup.

 If you do not specify incremental, certutil-backup performs a full backup.

 You can use the -f option to overwrite existing files in BackupDirectory.

To back up the CA certificate and keys

Syntax
certutil-backupkey[-f] [-gmt] [-seconds] [-v] [-configCAMachineName\CAName] [-pPassword]
BackupDirectory

Parameters
-backupkey
Backs up the Certificate Services certificate and private key.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
 processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
-p Password
Specifies a password.
BackupDirectory
Specifies the backup directory.
-?
Displays a list of certutil commands.
Remarks

 You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise,

the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

 If you use -config - instead of -config CAComputerName\CAName, the operation is processed using

the default CA.

 With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.

 You can use the -f option to overwrite existing files in BackupDirectory.

To restore the CA database, certificates, and keys

Syntax
certutil-restore[-f] [-gmt] [-seconds] [-v] [-configCAMachineName\CAName] [-pPassword] BackupDirectory

Parameters
-restore
Restores the CA database, certificates, and keys from the specified BackupDirectory.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
-p Password
Specifies a password.
BackupDirectory
Specifies the backup directory from which you want to restore the CA database, certificates, and keys.
-?
Displays a list of certutil commands.
Remarks

 You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise,

the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  If you use -config - instead of -config CAComputerName\CAName, the operation is processed using

the default CA.

 With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.

To restore the CA database

Syntax
certutil-restoredb[-f] [-gmt] [-seconds] [-v] [-configCAMachineName\CAName] BackupDirectory

Parameters
-restoredb
Restores CA database from the specified BackupDirectory.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
BackupDirectory
Specifies the backup directory from which you want to restore the CA database.
-?
Displays a list of certutil commands.
Remarks

 You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise,

the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

 If you use -config - instead of -config CAComputerName\CAName, the operation is processed using

the default CA.

 The CA server and must not be running. You can run this command locally or remotely.

 To restore a full backup and incremental backups, you must restore the full backup first, and then restore

all subsequent incremental backups in any order. To overwrite the existing server database files with the
full restore, use -f. Do not start the server until all backups are restored.

 When you start the CA server, you initiate database recovery. If you successfully start the CA server (that

is, as recorded in the application event log), this indicates restore and recovery were completed
successfully. If the server fails to start after you run -restore, you receive an error code. For more
information if -restore fails, you can also view the RESTOREINPROGRESS registry key.

To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file
Syntax
certutil-restorekey[-f] [-gmt] [-seconds] [-v] [-configCAMachineName\CAName] [-pPassword]
BackupDirectory|PFXFile

Parameters
-restorekey
Restores Certificate Services certificate and private key from the specified BackupDirectory or
PKCS #12PFXFile.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
-p Password
Specifies a password.
BackupDirectory
Specifies the backup location of the PKCS #12 PFX file.
PFXFile
Specifies the PKCS #12 PFX file.
-?
Displays a list of certutil commands.
Remarks

 You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise,

the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

 If you use -config - instead of -config CAComputerName\CAName, the operation is processed using

the default CA.

 With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.

To dump the CA database schema, for example, column names, types, and max sizes
Syntax
certutil-schema[-f] [-gmt] [-seconds] [-v] [-configCAMachineName\CAName] [{ext | attib | crl}]

Parameters
-schema
Dumps the CA database schema.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
 Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
ext
Displays the schema for Ext table.
attib
Displays the schema for Attib table.
crl
Displays the schema for the certificate revocation list (CRL).
-?
Displays a list of certutil commands.
Remarks

 You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise,

the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

 If you use -config - instead of -config CAComputerName\CAName, the operation is processed using

the default CA.

Examples
To view the CA database schema, type:

certutil -schema

Formatting legend

Format Meaning
Italic Information that the user must supply
Bold Elements that the user must type exactly as shown
Ellipsis (…) Parameter that can be repeated several times in a
command line
Between brackets ([]) Optional items
Between braces ({}); choices separated by pipe (|) Set of choices from which the user must choose
example: {even|odd} only one
Courier font Code or program output