Backup AD CS

Hi guys,

With the following steps you can backup a CA.

  • Export registry with the following line from command line:

reg export “HKLM\System\CurrentControlSet\Services\CertSvc\Configuration”  c:\CaConfig\backup\configuration.reg /y

  • Open AD CS mmc and make a backup pushing Backup CA, these are the steps:


When wizard appears push Next.


Select all check boxes and insert a specified path.


Insert a passphrase and push Next.


Push Finish.


In the folder where you have saved the backup you will find the CA Certificate and the database files.



Disable install certificates on a desktop computer for users


Below I put how to block that a user cannot install certificates on a desktop.


In a new GPO on User config configure the following settings to block a user for can not install certificates with internet explorer or use the certificates snapin:


The next step is to block by GPP than a user cannot install cert doing double click on the cert. The path to configure this is Computer Configuration\Windows Settings\Security Settings\File System


There we add the following exe´s:







And add a new user group denying permissions.


When user will do double click will appear the following message.



Warning in Win XP accessing to HTTPS websites


Today an end user told me that when she go to a secure website (HTTPS) it show a warning message like that:


The problem is that she is using Windows xp an need a fix to solve it, she can´t access to any website with HTTPS. The issue is interesting because affect to all certificates with less than 1024 bits. Here I put the link to the KB.


How to know if a CA is Enterprise or Standalone

Hi there!

I´m going to migrate a CA from windows 2003 (x86) to 2008 R2 and to know if the CA is Standalone or Enterprise I need to do one of the following:

  • typing the command: certutil -getreg ca\catype
  • Open CertSrv.msc console and locate Certificate Templates node. This node exist on Enterprise CAs only.
  • In Site and Services, Select Show Service node in the view pane. Go to Services, Public Key Services, Enrollment Services. If you view there the CA name like an object your CA is an Enterprise CA, if not is a StandAlone.