Certificate Backup Guide

TL;DR

Back up your locally stored certificates regularly to a safe location (external drive, cloud storage) and verify the backups are working. This guide shows you how.

1. Understand Your Certificates

Before backing up, know what you’re dealing with. Certificates usually come in these formats:

• .cer / .crt: Public certificate – often shareable.
• .key: Private key – keep this extremely safe! Never share it.
• .pfx / .p12: Container file holding both the public certificate and private key, usually password protected.

You’ll likely find them in folders like:

• Windows: C:ProgramDataMicrosoftCryptoPKI (hidden folder – enable ‘Show hidden files’ in File Explorer)
• macOS: Keychain Access application.
• Linux: Often in user directories, e.g., ~/.ssh/ or /etc/ssl/certs/

2. Choose a Backup Location

Select a secure backup location:

• External Hard Drive: Good for offline storage, but prone to failure if not stored safely.
• Cloud Storage (e.g., Google Drive, OneDrive, Dropbox): Convenient and offers redundancy, but consider security implications. Use strong passwords and enable two-factor authentication.
• Network Attached Storage (NAS): A good balance of convenience and control.

Important: Do not store backups on the same drive as your original certificates.

3. Backup Methods

1. Simple Copying: For .cer/.crt files, simply copy them to your backup location.
2. Export from Keychain Access (macOS):
   • Open Keychain Access.
   • Select the certificate you want to back up.
   • File > Export Items…
   • Choose a secure location and set a password if prompted (.p12 format is recommended).
3. Export from Windows Certificate Manager:
   • Open the Microsoft Management Console (mmc.exe).
   • Add the Certificates snap-in for ‘Local Computer’ account.
   • Navigate to the certificate you want to back up.
   • Right-click > All Tasks > Export…
   • Follow the wizard, choosing a secure location and setting a strong password (Personal Information Exchange – .pfx format is recommended). Ensure ‘Export private key’ is checked if needed.
4. OpenSSL (Linux/Advanced): If you have certificates in plain text formats (.key, etc.), use OpenSSL to create a PKCS#12 bundle:

   openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile ca.crt

4. Automate Backups (Optional)

For regular backups, consider automation:

• Windows Task Scheduler: Create a scheduled task to copy certificate folders to your backup location.
• macOS Time Machine: Includes certificates in its standard backups.
• Linux Cron Jobs: Schedule OpenSSL commands or file copies using cron.

  0 0 * * * cp /path/to/certificates /path/to/backup_location

5. Verify Your Backups

Crucially, test your backups!

• Restore a certificate: Try importing the backed-up .pfx/.p12 file into a new location or another computer to ensure it works correctly.
• Check File Integrity: Ensure the backup files are not corrupted (e.g., open them with a text editor – they should be readable, even if you don’t understand the content).