Symantec 10551441 Reference Guide - Page 51

How certificates are implemented 51 Other certificate details Server group root key archival You must closely guard the private key that is associated with the server group root certificate. No tool should be capable of moving your private key from the primary server in your environment. You should back up your private key to a removable storage device, secure the device in a vault, delete it from the primary server, and remove it from the Recycle Bin on Windows computers. Use this key when you add secondary servers only. When you need to add secondary servers, replace the private key in the private-keys directory on the primary server, add the secondary server, and then re-secure the key. Warning: Do not lose your server group root private key. If you do, you will not be able to add secondary servers to your server group. If you lose your key, create another server group and move your secondary servers and clients to that group. About promoting secondary servers to primary servers When you promote a secondary server to a primary server, the server group private key is not automatically copied to the new primary server even if it exists on the demoted primary server. To add additional servers to the server group that has a new primary server, you must copy the server group private key to the \pki\private-keys directory on the new primary server. About viewing certificates Internet Explorer and most Web browsers let you view certificates. Typically, most Web browsers have file associations for the .cer extensions, so you can double-click the .cer files and view them in a certificate viewer. If you have not installed a certificate in a Web browser before you view it, the certificate viewer typically lets you know that the certificate is not to be trusted. If you install the certificate from the certificate viewer, most Web browsers then trust the certificate, and display additional information about the certificate.