Phidiax Tech Blog

Adventures in custom software and technology implementation.

SCVMM 2012 R2 Archiving Root CA server to VMM Library


When building a multi-tier Windows 2012 R2 Enterprise Certificate Authority with an off-line Root CA there is the decision of what to do with the offline Root CA server until it is needed again.

Proposed Solution

In many cases that server VM would be archived off to a drive and perhaps sent to an archive service site for long term storage. That still might be necessary as a failsafe, but for quick offline access that can be restored any time, it might be best served to archive that VM off to a VMM library server share.

Solution Benefits:

  • Saving the offline Root Certificate Authority is critical to your infrastructure when you need to resign the issuing certificate authority's root cert
  • Certificate Authorities commonly are forgotten due to the number of years that they are often in place before they need to be resigned, when certs unexpectedly begin to expire there is generally a scramble to get new certificates in place.
  • SCVMM is a single pane of glass to all things related to managing your VM infrastructure


In my case, I have 2 Hyper-V hosts managed within my System Center Virtual Machine Manager 2012 R2 lab environment. One of the Hosts has a large amount of available storage that I have joined to the SCVMM Library as a library share. I mainly use this secondary library to hold all of the ISO files and present those within SCVMM for building new VMs.


The offline Root CA VM gets stored in the library.


The Hyper-V library server is chosen.


The Archive folder on the Hyper-V library share is chosen as the place to store the archived VM.


Deploy VM job runs to move the VM data files and settings to the library share.


Verify that the data has been moved to that share location.


The Root-CA01 server is now in a stored state in the library server and is not impacting any production storage resources.



In conclusion, the aim here is to provide a quick solution to a misplace-able piece of technology, the Private Key Infrastructure. It is rather easy to forget the original design of the Certificate Authority, especially when only every 5 to 10 years anything needs to be done about it. When that time does come, it is generally a priority to get things restored quickly.

In this case, there is a quick and easy solution... Above, all that is necessary at this point is to right-click the stored VM, click Deploy, and you can point that resource to any Hyper-V host and network that are presented to it.


Privacy Policy  |  Contact  |  Careers

2009-2017 Phidiax, LLC - All Rights Reserved