Unable to backup private keys on CA

I just finished migrating the CA from a 2003 server to a 2012 server. It seems to be working okay but now on the new server I want to get rid of old expired certificates. Before doing so I want to make a backup of the CA database. But when I try I get the message "Windows cannot back up one ore more private keys because the CSP does not support key export. Do you want to continue and back up only the private keys that can be exported"?

When starting the backup, I selected both options "Private key and CA certificate" and "Certificate database and certificate database log", but not the sub-option "Perform incremental backup".

What am I missing here and how do I fix it? I suspect this has something to do with the recent CA migration between servers though if so I don't know how.

October 30th, 2013 1:44pm

See http://www.windows-server-answers.com/microsoft/Windows-Server-Security/32994920/backup-certificate-when-mark-key-as-exportable-was-not-choosen-.aspx

If you know which key it is, you can revoke it and create a new one with the export flags.

Free Windows Admin Tool Kit Click here and download it now
October 30th, 2013 2:01pm

See http://www.windows-server-answers.com/microsoft/Windows-Server-Security/32994920/backup-certificate-when-mark-key-as-exportable-was-not-choosen-.aspx

If you know which key it is, you can revoke it and create a new one with the export flags.

That's a good answer Tom, I just don't know which key or keys were not exportable. I guess I'll get rid of the expired certs and hope that that takes care of the non-exportable issue.

October 30th, 2013 2:07pm

Hi,

I would like to confirm that did you follow the below article when you do CA migration:

http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx

For cannot back up one ore more private keys error, we may refer to the below similar thread :

http://social.technet.microsoft.com/Forums/windowsserver/en-US/00124078-1cd7-44be-aafb-8eb9e3179a79/windows-cannot-back-one-or-more-private-keys-because-the-csp-does-not-support-key-export-while?forum=winserversecurity

Hope this helps.

Regards,

Yan Li

Free Windows Admin Tool Kit Click here and download it now
November 4th, 2013 5:48am

Hi,

I would like to confirm that did you follow the below article when you do CA migration:

http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx

For cannot back up one ore more private keys error, we may refer to the below similar thread :

http://social.technet.microsoft.com/Forums/windowsserver/en-US/00124078-1cd7-44be-aafb-8eb9e3179a79/windows-cannot-back-one-or-more-private-keys-because-the-csp-does-not-support-key-export-while?forum=winserversecurity

Hope this helps.

Regards,

November 4th, 2013 2:46pm
Was there a resolution to this issue? I'm trying to migrate to Windows 2012 R2 from a server that was just upgraded to 2008 R2 successfully a few months ago and getting the same error. I have found two old certs that aren't exportable and two new ones that are.
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2015 11:40pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics