12.10. Backing up and Restoring Certificate System

⁠12.10. Backing up and Restoring Certificate System

Backup and restore tools are not included with the Certificate System. However, the Certificate System components can still be archived and restored manually, and this can be necessary for deployments where information cannot be accessed if certificate or key information is lost. There are three major parts of the Certificate System which need backed up routinely in case of data loss or hardware failure:

Internal database. Subsystems use either and LDAP database or a SQLite database to store their data. Both the Directory Server and SQLite provide provide their own back up scripts and procedures.
Security databases. The security databases store the certificate and key material. If these are stored on an HSM, then consult the HSM vendor documentation for information on how to back up the data. If the information is stored in the default directories in the instance alias directory, then it is backed up with the instance directory. To back it up separately, use a utility such as tar or zip.
Instance directory. The instance directory contains all configuration files, security databases, and other instance files. This can be backed up using a utility such as tar or zip.

⁠12.10.1. Backing up and Restoring the LDAP Internal Database

The Red Hat Directory Server documentation contains more details information on backing up and restoring the databases.

There are two tools that are used to back up Directory Server instance: db2ldif and db2bak command. Using db2ldif with the -n option backs up a single, specific subsystem database.

db2ldif -n slapd-pki-ca1 -a pki-ca1-backup.ldif

Using db2bak command backs up all Certificate System subsystem databases for that Directory Server (and any other databases maintained by that Directory Server instance):

db2bak /my/backup/directory

To restore an LDIF file, use the ldif2db command to import the LDIF. It is possible to specify a single database to restore from the backup.

ldif2db -n slapd-pki-ca1 -i pki-ca1-backup.ldif

To restore a backup file, use the bak2db file; it is possible to specify a single database to restore from the backup.

bak2db /var/lib/dirsrv/slapd-instance_name/bak/backup_file -n slapd-pki-ca1

⁠12.10.2. Backing up and Restoring the SQLite Internal Database

RA subsystems store their information in a SQLite database. This contains all of the information about certificate operations.

To back up the SQLite database:

Stop the RA instance.
```
# service {pki-ra} stop
```
Dump the database contents and write it to a backup file.
```
# sqlite {pki-ra.db} .dump > {pki-ra.db}.bak
```
Restart the RA.
```
# service {pki-ra} start
```

To restore the SQLite database:

Stop the RA instance.
```
# service {pki-ra} stop
```
Save the current SQLite database.
```
mv {pki-ra.db} {pki-ra.db}.old
```

Load the backed up database.

sqlite {pki-ra.db}.db < {pki-ra.db}.bak

Restart the RA.
```
# service {pki-ra} start
```

⁠12.10.3. Backing up and Restoring the Instance Directory

The instance directory has all of the configuration information for the subsystem instance, so backing up the instance directory preserves the configuration information not contained in the internal database.

Stop the subsystem instance.
```
service pki-ca stop
```

Save the directory to a compressed file. For example:

cd /var/lib

tar -chvf /export/archives/ca/pki-ca.tar pki-ca/

Restart the subsystem instance.
```
service instance_ID start
```

NOTE

Stop the subsystem instance before backing up the instance or the security databases.

The Certificate System backup files, both the alias database backups and the full instance directory backups, can be used to replace the current directories if the data are corrupted or hardware is damaged. To restore the data, uncompress the archive file using the unzip or tar tool, and copy the archive over the existing files.

To restore the instance directory:

Uncompress the archive; for example, untar a pki-ca directory archive:
```
cd /export/archives/ca/

tar -xvf pki-ca.tar
```
Stop the subsystem instance if it has not already been stopped.
```
service pki-ca stop
```
Copy the archived files to the directory. For example, restore the instance directory:
```
cp -r /export/archives/ca/pki-ca /var/lib/pki-ca
```
Restart the subsystem instance.
```
service pki-ca start
```

NOTE

Stop the subsystem instance before restoring the instance or the security databases.