Events Join us for Encryption Consulting Conference 2021 - product updates, workshops & more Register Now

Certification Authority Backup Script

Home » Certification Authority Backup Script

Overview

This power shell script takes the backup of the Certification Authority (CA). It will work for both Root CA as well as Issuing CA. It will take the back up of the following:

  • Database
  • Private key backup for nCipher HSM
  • CA Policy File
  • Configuration Registry Hive
  • Certificates
  • Templates details for Issuing CA

Note: This Script is written for nCipher HSM’s if you have any other HSM in your enviorments such as Gemalto Luna(SafeNet Luna) or Utimaco we will be able to help you do the Migration as well as automation around your PKI.

Buy Certification Authority Backup Script Verified License and Support

Buy Now
Pre-requisites - Certification Authority Backup Script

Pre-requisites:

  • Check for PKI Health.
  • Ensure you run the script as Admin on Powershell.
  • Check for the paths(location) and variables declared in the Variables Section in the script.
  • Check for HSM – nCipher (nShield Connect, nShield Edge and nShield Solo) connection with the CA.
  • Check for Admin card set (ACS) and Operational card set (OCS)

Description – Script Flow:

  • This script creates a timestamped destination folder (as CAbackup_$date) under one directory folder CABackup so that its easy to track the backed up data. Output directory at different timestamp will look like- C:\CAbackup\CABackup_13 May 2019-04_38_20 C:\CABackup\CABackup_13 May 2019-04_49_09
  • Private Key backup : 1) The script checks for the existence of nfast Service and if the service is in ‘running’ mode than it searches for the local folder. 2) Then it checks for the existence of a ‘local’ folder in C:\ProgramData\nCipher\Key Management Data and takes its backup at the destination(i.e. C:\CABackup) which gets automatically created when we run the script.
  • Database backup: Backup-CARoleService C:\CABackup -databaseonly This command takes only the backup of the database and not the private key as the private key has already been retrieved from the local folder.
  • Configuration registry Hive: 1) HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration $Path\CA_regedir_CertSvcConfiguration.reg 2) Using this path it will export the configuration registry file.
  • CA Policy File: It is a best practice to copy the CAPolicy.inf file into the destination directory (C:\CABackup). 1) By using this command – 2) Copy-Item $Env:windir\CAPolicy.inf -Destination $Path -Force -ErrorActionSilentlyContinue
  • CA Certificates & Certificates Chain – 1) In this script the cmd commands for retrieving and exporting the certificates have been piped through the powershell command, shown as below- 2) “certutil -ca.cert c:\CABackup\cacert.cer” | cmd 3) “certutil -ca.chain C:\CABackup\cachain.p7b” | cmd

Usage

Step 01

Ensure that we have this script –> CABackupHSM-nCipher.ps1 in C:\Scripts folder(or the directory where you have your .ps1 script).

Step 02

Go to the Start Menu -> Type cmd to go to the Command prompt and ensure to run as administrator(by right clicking).

Step 03

Then go to the directory where the script is residing (here its in, C:\Scripts)

cd C:\Scripts

Step 04

Then to run powershell script on command prompt, type

C:\Scripts>powershell .\ CABackupHSM-nCipher.ps1

DISCLAIMER: The script described in this document is written for specifically for nCipher HSMs but can be modified according to different HSMs. Please feel free to contact us at info@encryptionconsulting.com (Encryption Consulting, LLC) regarding any PKI related work.

Buy Certification Authority Backup Script

CA Backup HSM-nCipher

1 file(s) 18.66 KB

Buy Now
×

The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security

The command line signing tool provides a faster method to sign requests in bulk

Robust access control systems can be integrated with LDAP and customizable workflows to mitigate risks associated with granting wrong access to unauthorized users, allowing them to sign code with malicious certificates

Support for customized workflows of an “M of N” quorum with multi-tier support of approvers

Support for InfosSec policies to improve adoption of the solution and enable different business teams to have their own workflow for Code Signing

Validation of code against UpToDate antivirus definitions for virus and malware before digitally signing it will mitigate risks associated with signing malicious code