Certification Authority Backup Script
Streamline your Root or Issuing CA backup process using pre-built scripts for both Luna and nCipher HSM environments. Maintain cryptographic integrity, ensure high availability, and meet compliance mandates effortlessly.
Trusted By
Backup Components
Private and Public Key Backup
Protect and store your CA’s private key in a secure exportable format. Also, export your CA’s public certificate for external validation.
Database Backup
Includes the CA database (certlog.edb) and supporting configuration files.
CA Registry Data
Capture registry-based configurations for restoration or replication.
CRL & AIA Files
Save Certificate Revocation List files and AIA configurations for full restoration.
Permissions
Preserve NTFS and share-level permissions tied to CA directories.
Pre-requisites
Make sure the following items are prepared prior to running the backup script:
HSM Health Check
Ensure Luna or nCipher HSM is reachable and functional. Confirm key containers are available.
Admin Rights Required
The script must be executed with administrative privileges to access CA services and directories.
Operation Schedule & Storage
Predefine your backup frequency (manual/automated) and ensure secure storage locations are accessible.
*Note: The script automatically verifies the availability of all critical dependencies before initiating backup.
Script Flow Description
The script is modular and adjusts to your environment (Luna or nCipher). Here’s what happens:
- Identifies active CA and HSM environment.
- Verifies the HSM status and required services.
- Initiates backup of CA database, private/public keys, CRL, AIA, and registry settings.
- Stores all data in a designated, timestamped backup folder.
*Note: The process is non-intrusive and ensures your CA services remain unaffected during backup.
Detailed Backup Procedures
nCipher HSM Backup
- Authenticates to the nCipher HSM
- Uses nfast tools to extract keys and wrap them securely
- Compresses key material with the CA database and metadata
Luna HSM Backup
- Authenticates to Luna HSM using vtl or lunacm
- Extracts and wraps the key material using PED-auth or password
- Encrypts backup and stores it with CRL and certificate files
Windows Non-HSM Backup
- Supports backup without external HSMs
- Uses native Windows tools to collect registry, DB, and certs
- Encrypts archive for secure storage
*Note: All backup packages are generated in compressed .zip format with detailed logs.
Certification Authority
Backup Script
For seamless PKI deployment, pair your backup strategy with our automated CA post-install configuration scripts.
Compatible with enterprise and standalone CAs
Whether running a standalone root CA or an enterprise-level PKI hierarchy, our backup scripts are designed to support both environments seamlessly.
Optimized for best practices in AIA/CDP publishing
Our scripts follow Microsoft-recommended best practices for publishing AIA and CDP locations.
Validated for Windows Server environments
Each script is tested and validated in Windows Server environments to ensure compatibility, reliability, and performance.
Ensures consistent configuration across Root and Sub-CAs
Achieve uniformity across your PKI setup by applying the same reliable configuration structure to both Root and Subordinate CAs