Monday 20 April 2015

Creating and assigning a certifcate for encryption of a domain / non-domain instance of Data Protection Manager

If your DPM server is within the same domain as your CA you can perform the following:

DPM can take advantage of certifcate based encryption - to perform this we can use a duplicate the RAS and IAS Server template on our CA:

So we go to Certifcate Authority snapin >> Right-hand click and Manage > Right-hand click on "RAS and IAS Server" and hit "Duplicate" >> Name the certificate template "DPM Authentication" >> and make sure "Publish certificate in Active Directory" is enabled >> Make sure that "Allow private key to be exported" is enabled in the "Request Handling" tab.

We will then close down the certifcate tempaltes management windows and right hand click on the "Certifcate Templates" folder >> New >> Enable Certificate Template >> "DPM Authentication".

Via Certicate Services Web Enrollment select "Advanced Certifcate Required" and select "Create and Submit a request to this CA" - the key should be 2048bit ideally and should also be exportable!

Otherwise if your DPM server is not within your local ADCS domain you can generate a self-signed certifcate within IIS and import it into your the Computer certifcate store under the DPMBackup store.

We should then modify the backup set and choose the "encryption of data" option - the backup process will automatically pickup the certifcate stored in DPMBackup store.


Post a Comment