Define Maintenance Strategies

Define your maintenance and disaster recovery strategies for CAs. Maintenance and disaster recovery strategies include the following:

• Types of backups you will perform for CAs
• Schedules for conducting backups of CAs
• Policies for restoring CAs
• Policies for EFS recovery agents
• Policies for secure mail recovery

Developing Recovery Plans

You can develop recovery plans to help restore CAs if certificate services fail or CAs are compromised. Test recovery plans to ensure that they work as intended, and train your administrative staff how to use the recovery plans.

Recovery plans can include the following:

• Recovery procedures and checklists for administrators to follow
• Recovery toolkits or pointers to the toolkits
• Contingency plans

For more information about backup and recovery in Windows 2000, see "Determining Windows 2000 Storage Management Strategies"in this book.

Failed Certification Authority

A CA can fail for a variety of reasons, such as a server hard drive failure, a failed network adapter, or a server motherboard failure. Some failures can be quickly corrected by locating and correcting the problem with the CA server. For example, you can replace a failed network adapter or a failed motherboard and restart the computer to restore certificate services.

If a hard disk has failed, you can replace the hard disk and restore the server and the CA from the most recent backup set. If the CA is damaged or corrupted, you can restore the CA from the most recent backup set on the server.

If you must replace the server, configure the new server with the same network name and IP address as the failed CA server. You can then use Windows 2000 Backup or the Certification Authorities Restore wizard to restore the CA from the most recent backup set.

Compromised Certification Authority

When a CA has been compromised, you must revoke the CA's certificate. Revoking a CA's certificate invalidates the CA and its subordinate CAs, as well as invalidating all certificates issued by the CA and its subordinate CAs. If you discover a compromised CA, perform the following activities as soon as possible:

• Revoke the compromised CA's certificate. If the CA has been renewed, revoke all of the CA's certificates only if all related keys have been compromised.
• Publish a new CRL containing the revoked CA certificate. Note that client applications can store the CRL until it expires, so you will not see the newly published CRL until the old one expires.
• Remove compromised CA certificates from Trusted Root Certification Authorities stores and CTLs.
• Notify all affected users and administrators of the compromise and inform them that certificates issued by the affected CAs are being revoked.
• Repair whatever led to the compromise.

To restore the CA hierarchy, you must deploy new CAs, or renew a CA's certificate and generate a new key to replace the compromised hierarchy. You must then reissue the appropriate certificates to users, computers, and services. Depending on where in the hierarchy the revocation occurred, it could require a new CA hierarchy or only a portion of it.

© 1985-2000 Microsoft Corporation. All rights reserved.