Windows 2003 Enterprise CA & Restored State

[Chris Hayes]

Looking for any guidance regarding an enterprise CA that experienced a power
failure and was restored to a saved state. Any certificates issued after the
restored date are not reflected in the Certificate Authority management
console yet they can still be used (smartcards, SSL, etc...) and come up as
valid when checked with the Certificates MMC snap-in.

The Enterprise CA itself (subordinate to an offline root), is Windows 2003
Enterprise Edition running as a virtual machine session on a server running
Virtual Server 2004. This is running in a non-production capacity- but would
like to resolve without rebuilding the CA.

Thanks.

 

[Vishal Agarwal[MSFT]]

After a power failure, the CA should be able to perform recovery using the
existing database log files and recover the state back to the last completed
database transaction. This procedure should rollback only incomplete
transactions, and not lose any issued certs.

A fallback strategy would be to restore the database, etc. from backup, but
to also add in any log files saved from the log directory prior to the
restore operation. When the CA is restarted it should include the
transactions from the additional log files, and again capture all of the
completed transactions.

A third strategy would seem to be the one you have taken, which is to
restore from backup and thereby lose all of the certs issued since the
backup was performed.

To re-add the missing certs, you will need to collect the certs into files,
and add each one via the following command:

certutil -importcert cert1.cer

If you can't easily obtain the missing certs, you will at least need to
obtain the serial numbers. It may be possible to use the Windows 2003
certutil -sign command to create a dummy certificate with a specified serial
number, signed by a selected CA cert (via certutil U/I), so that it can be
imported into the CA's database:

certutil -sign SerialNumber outfile.cer



Thanks,
Vishal Agarwal [MSFT]