13.9. Backing up and Restoring Certificate System

Backup and restore tools are not included with the Certificate System. However, the Certificate System components can still be archived and restored manually, and this can be necessary for deployments where information cannot be accessed if certificate or key information is lost. There are three major parts of the Certificate System which need backed up routinely in case of data loss or hardware failure:
  • Internal database. Subsystems use an LDAP database to store their data. The Directory Server provides its own back up scripts and procedures.
  • Security databases. The security databases store the certificate and key material. If these are stored on an HSM, then consult the HSM vendor documentation for information on how to back up the data. If the information is stored in the default directories in the instance alias directory, then it is backed up with the instance directory. To back it up separately, use a utility such as tar or zip.
  • Instance directory. The instance directory contains all configuration files, security databases, and other instance files. This can be backed up using a utility such as tar or zip.

13.9.1. Backing up and Restoring the LDAP Internal Database

The Red Hat Directory Server documentation contains more details information on backing up and restoring the databases.
There are two tools that are used to back up Directory Server instance: db2ldif and db2bak command. Using db2ldif with the -n option backs up a single, specific subsystem database.
db2ldif -n slapd-pki-ca1 -a pki-ca1-backup.ldif
Using db2bak command backs up all Certificate System subsystem databases for that Directory Server (and any other databases maintained by that Directory Server instance):
db2bak /my/backup/directory
To restore an LDIF file, use the ldif2db command to import the LDIF. It is possible to specify a single database to restore from the backup.
ldif2db -n slapd-pki-ca1 -i pki-ca1-backup.ldif
To restore a backup file, use the bak2db file; it is possible to specify a single database to restore from the backup.
bak2db /var/lib/dirsrv/slapd-instance_name/bak/backup_file -n slapd-pki-ca1

13.9.2. Backing up and Restoring the Instance Directory

The instance directory has all of the configuration information for the subsystem instance, so backing up the instance directory preserves the configuration information not contained in the internal database.
  1. Stop the subsystem instance.
    systemctl stop pki-tomcatd@instance_name.service
  2. Save the directory to a compressed file. For example:
    cd /var/lib/pki
    tar -chvf /export/archives/pki/instance_name.tar instance_name/
  3. Restart the subsystem instance.
    systemctl start instance_name


Stop the subsystem instance before backing up the instance or the security databases.
The Certificate System backup files, both the alias database backups and the full instance directory backups, can be used to replace the current directories if the data are corrupted or hardware is damaged. To restore the data, uncompress the archive file using the unzip or tar tool, and copy the archive over the existing files.
To restore the instance directory:
  1. Uncompress the archive; for example, untar a instance_name directory archive:
    cd /export/archives/pki/
    tar -xvf instance_name.tar
  2. Stop the subsystem instance if it has not already been stopped.
    systemctl stop pki-tomcatd@instance_name.service
  3. Copy the archived files to the directory. For example, restore the instance directory:
    cp -r /export/archives/pki/instance_name /var/lib/pki/instance_name
  4. Restart the subsystem instance.
    systemctl start pki-tomcatd@instance_name.service


Stop the subsystem instance before restoring the instance or the security databases.