Certificate Server does not create backups of installed keys. If you intend to use the
certificate to encrypt persistent data such as e-mail, then you should
ensure that some form of back up protects the private key for that certificate.
If the key is unprotected, and is subsequently unavailable, then you
will be unable to decrypt data encrypted with the certificate.
The functions of a Certificate Server can be summarized as follows:
Receive certificate requests.Create certificates from the requests it receives.Distribute or publish certificates.Publish Certificate Revocation Lists (CRLs).
Some applications, which encrypt persistent data such as e-mail, have an
additional requirement to archive private keys of encryption
certificates. This is to ensure a users access to the data in the event
that they become unavailable. If that event occurs, the user can request a
copy of the private key from the archive. Exchange Advanced Security has
an additional service, the Key Manager Server (KMS), which performs this
Microsoft CSPs store the private keys in the registry. If Roaming
profiles are used, then the Windows NT infrastructure provides resilience for
the private keys. If Roaming profiles are not available, or a third-party
CSP is used that does not use the registry to store keys, separate
provisions should be made to back up the keys.