Back Up Private Keys

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

After they are generated, the keys are stored in a self-signed certificate in the local computer certificate store. To back up the private keys, export this certificate from the secure signing computer and then store it on the secure backup computer.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

Export the MS-DNSSEC certificate

First, export the MS-DNSSEC certificate from the local computer certificate store on the secure signing computer.

To export the MS-DNSSEC certificate

  1. On the secure signing computer, click Start, click Run, type mmc, and then press ENTER.

  2. On the File menu, click Add/Remove Snap-in.

  3. Click Certificates, click Add, select Computer account, and then click Next.

  4. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.

  5. In the console tree, open Certificates (Local Computer)\MS-DNSSEC\Certificates.

  6. In the details pane, right-click the certificate that was generated in the previous procedure, point to All Tasks, and then click Export.

  7. On the Welcome to the Certificate Export Wizard page, click Next.

  8. On the Export Private Key page, select Yes, export the private key and then click Next.

  9. On the Export File Format page, click Next.

  10. On the Password page, type a password under Password and Type and confirm password (mandatory), and then click Next.

  11. On the File to Export page, click Browse, and then browse to a location on your network or on removable media where you can save the certificate so that it will be accessible to the secure backup computer.

  12. After you have selected a location to save the certificate as a file, type a name for the file next to File name, and then click Save.

  13. Verify the file name and location is displayed under File name, click Next, and then click Finish.

  14. Verify that The export was successful is displayed, and then click OK.

  15. Move the saved file to the secure backup computer and delete any copies..


To restore the stored certificate from backup, copy the file to a DNS server and run the Certificate Import Wizard by using the previous procedure and choosing Import in step 6 instead of Export.

See Also


Checklist: Preparing to Deploy DNSSEC