Back up the CA and configuration

For migrating the CA, it could be required to remove the complete ADCS role. Therefore, it is necessary and recommended to create a backup of the certificate database, the CA registry settings, and the CA certificate with the private key of the CA. To do so, we refer to the guidelines provided in the Microsoft TechNet database. In the following, example is shown for a backup of a CA.

1. Open a PowerShell with administrator rights and create a directory for the backup at your preferred location.

2. Back up the certification database.

PS C:\> certutil -backupdb C:\backupCA

3. Back up the private key and the CA certificate. Enter a secure password as the symmetric key to protect the PKCS#12 file.

PS C:\> certutil -backupKey C:\backupCA
Enter new password:
Confirm new password:

4. Back up the CA registry settings.

PS C:\> reg export HKLM\SYSTEM\CurrentControlSet\services\CertSvc \
C:\backupCA\CAregistry.reg

5. Stop the CA service.

PS C:\> Stop-service certsvc