sara2000
asked on
Ent .CA private key
Hello experts out there.
I have a question about ent root CA's private key. We have a server which issues the cert to clients.
Do we have to backup the private key ?
If so what Is the reason we have to backup?
I have a question about ent root CA's private key. We have a server which issues the cert to clients.
Do we have to backup the private key ?
If so what Is the reason we have to backup?
Since https://LetsEncrypt.org certs are strong + free + auto-renewal can be automated via CRON jobs, there's really no reason to run a private CA anymore.This is absolutely not true. A CA generates thousands of certificates for multiple different types of services automatically and you control the root, issuing and revocation.
The private key is needed to issue new certificates - so your CA will be useless without the private key.
You could add a new CA to your domain, if the old one is lost - currently issued certificates will still be valid (if revocation list is still accessible on one of the locations build into each certificate), and after clients got the new policy with the new root CA, you can issue new Certificates from the new CA.
Depending on your environment, this may or may not satisfy your recovery requirements.
You could add a new CA to your domain, if the old one is lost - currently issued certificates will still be valid (if revocation list is still accessible on one of the locations build into each certificate), and after clients got the new policy with the new root CA, you can issue new Certificates from the new CA.
Depending on your environment, this may or may not satisfy your recovery requirements.
For public sites, LetsEncrypt could be an option - but as Shaun noted, there are sometimes requirements that can not be solved with an external CA (e.g. certificates for a legacy .local internal domain)
Another simple example is EFS. Without an enterprise CA all certificates are self-signed and no DRA certificate is added to encryption.
For other examples, simply look at the CA template list
For other examples, simply look at the CA template list
ASKER
We uses Microsoft ent CA in which we have the option to backup the CA.
Does this mean that we do backup the public key?
Does this mean that we do backup the public key?
Lets encrypt does not (neither will any other CA) issue certificates for .local or other non-public domain suffices.
Same is more or less true for sub CA certificates.
Also personal certificates might be an issue.
As has been mentioned before you will need the private key somewhere to be able to issue new certificates.
Same is more or less true for sub CA certificates.
Also personal certificates might be an issue.
As has been mentioned before you will need the private key somewhere to be able to issue new certificates.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You asked, "Do we have to backup the private key ?"
Yes.
You also asked, "If so what Is the reason we have to backup?"
If you lose your Private Key, then you'll have to generate a new one, then reimport your entire issuer chain into every application again, then do the same with the cert.