Implementing Key Archival

Applies To: Windows Server 2008

This topic includes requirements and procedures for implementing key archival using Active Directory® Certificate Services (AD CS) and the Windows Server® 2008 operating system.

Review and complete each of the following sections to implement key archival:

  • Configuring a key recovery agent certificate template

  • Adding a key recovery agent certificate template to an enterprise CA

  • Enrolling key recovery agents

    • Enrolling key recovery agents

    • Issuing a key recovery agent certificate

  • Configuring a CA for key archival and recovery

    • Adding key recovery agent certificates to a CA

    • Configuring certificate templates for key archival

Configuring key recovery agent certificate templates

As with other types of certificates, enabling enrollment for key recovery agent certificates requires configuration of a certificate template and addition of the template to an enterprise CA.

Enterprise CAs running on Windows Server 2008 or Windows Server 2003 include a key recovery agent certificate template in the CA's collection of default certificate templates. The default configuration of the key recovery agent certificate template grants permissions to Domain Admins and Enterprise Admins to enroll for key recovery agent certificates.

Complete the following procedure to grant enrollment permissions to additional users or groups on a key recovery agent certificate template. You must be a member of the Domain Admins or Enterprise Admins group to complete this procedure.

To configure a key recovery agent certificate template

  1. On an enterprise CA, start the Certificate Templates snap-in.

  2. In the details pane, double-click Key Recovery Agent.

  3. Click the Security tab.

  4. Add accounts for the users or groups that you want to enroll for key recovery agent certificates.

  5. In Group or user names select an account, and then in Permissions click Read and Enroll.

  6. Click OK.

Adding a key recovery agent certificate template to an enterprise CA

After configuring a certificate template, you must add the template to an enterprise CA. This is required to make the certificate template available to domain members.

To add a key recovery agent certificate template to an enterprise CA

  1. Open the Certification Authority snap-in.

  2. In the console tree, expand Certification Authority, and then click Certificate Templates.

    Right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  3. In the Enable Certificate Templates dialog box, click the Key Recovery Agent certificate template and then click OK.

Note

Any certificate template that is already present on the CA will not be displayed in the Enable Certificate Templates dialog box. To view the list of templates on the CA, close the dialog box and click Certificate Templates.
Delete any template that has the same name as the template that you want to add. Repeat step 3 to assign the new template.

Enrolling key recovery agents

The default key recovery agent certificate template is configured to require certificate manager approval prior to certificate issuance in order to control the issuance of key recovery agent certificates. Because of this requirement, the certificate cannot be issued automatically and the enrollment process consists of the following tasks:

  • Requesting a key recovery agent certificate by using the Certificates snap-in, performed by a domain user.

  • Issuing a key recovery agent certificate, performed by a certificate manager.

  • Retrieving an issued key recovery agent certificate, performed by the requester.

The enrollment procedures can be completed on domain member computers running any of the following operating systems:

  • Windows Vista

  • Windows XP

  • Windows Server 2008

  • Windows Server 2003 R2

  • Windows Server 2003

Note

Computers running Windows 2000 or Windows Millennium Edition cannot enroll for key recovery agent certificates or any version 2 certificate templates by using the Certificates snap-in. Use CA Web enrollment pages to enroll for key recovery agent certificates from these operating systems.

Requesting a key recovery agent certificate by using the Certificates snap-in

This procedure should be completed by a domain user that has been designated a key recovery agent and granted read and enroll permissions on a key recovery agent certificate template, as described in the procedure Configuring a key recovery agent certificate template.

To request a key recovery agent certificate by using the Certificates snap-in

  1. Start the Certificates snap-in.

  2. In the console tree, expand Certificates – Current User.

  3. Right-click Personal, click All Tasks, then click Request New Certificate to start the Certificate Enrollment wizard.

  4. Review the Before You Begin page, and then click Next.

  5. On the Request Certificates page, select Key Recovery Agent, and click Enroll.

  6. The Certificate Installation Results page displays a status message which indicates that enrollment is pending approval by a certificate manager. Click Finish.

    Next, a certificate manager completes the following procedure to issue the KRA certificate.

Issuing a key recovery agent certificate

This procedure should be completed on the enterprise CA to which a key recovery agent certificate template has been added, as described in the previous section Adding a key recovery agent certificate template to an enterprise CA. This procedure can be completed by a member of the Administrators group on the CA, Domain Admins, or Enterprise Admins.

To issue a key recovery agent certificate

  1. Start the Certification Authority snap-in and click the Pending Requests folder.

  2. Right-click the pending key recovery agent certificate request, click All Tasks, and then click Issue.

The issued certificate is automatically added to the key recovery agent certificate store on the CA and to the KRA object in AD DS.

Next, a KRA completes the procedure to retrieve an issued key recovery agent certificate.

Retrieving an issued key recovery agent certificate

This procedure should be completed by the user that submitted the key recovery agent certificate request, as described in the procedure Requesting a key recovery agent certificate by using the Certificates snap-in.

To retrieve an issued key recovery agent certificate

  1. Start the Certificates snap-in.

  2. Right-click Certificates – Current User, click All Tasks, and then click Automatically Enroll and Retrieve Certificates to start the Certificate Enrollment wizard.

  3. Review the Before You Begin page, and then click Next.

  4. On the Request Certificates page, the key recovery agent certificate should display a status message indicating that enrollment is pending. Select the key recovery agent certificate, and then click Enroll.

  5. Click Finish to complete the wizard.

By completing these procedures, a key recovery agent certificate has been issued and installed to the user's personal certificates store and is available for key recovery operations.

Next, complete the procedures in the following section to configure your CA to support key archival and recovery operations.

Configuring a CA for key archival and recovery

The following procedures must be completed to configure a CA to support key archival and recovery operations:

  • Adding key recovery agent certificates to a CA

  • Configuring certificate templates for key archival

Adding key recovery agent certificates to a CA

This procedure should be completed on an enterprise CA that issues certificates to end entities. Key recovery can be performed on a CA only for certificates issued by that CA. If you have multiple issuing CAs in your organization, you must complete this procedure on each CA that you want to support key archival and recovery.

To add key recovery agent certificates

  1. Start the Certification Authority snap-in.

  2. In the console tree, right-click the CA, and click Properties.

  3. Click the Recovery Agents tab.

  4. Click Archive the key.

  5. Click Add to open the Key Recovery Agent Selection dialog box.

  6. Select a certificate and click OK. Repeat to add multiple key recovery agent certificates.

Note

After adding certificates it is normal to see a status message indicating that the key recovery agent certificate has not been loaded. After the CA is restarted, the status message should indicate that the key recovery agent certificate is valid.

  1. After adding one or more key recovery agent certificates, click OK.

Note

AD CS must be restarted for the changes to take effect.

Configuring certificate templates for key archival

Certificate templates can be individually configured to require key archival. Your organization's security or data recovery policies should specify criteria to determine which certificate templates can be configured for key archival. In general, the purpose of key recovery is to enable data recovery. For this reason, you should consider requiring key archival for certificates used for data encryption, but not for certificates used only for digital signatures. See Best Practices for Key Archival and Recovery.

This procedure should be completed on an enterprise CA. This procedure can only be completed by a member of the Administrators group on the CA, Domain Admins, or Enterprise Admins.

After configuring a certificate template, it must be added to an enterprise CA to be available to domain members. As an example, follow the procedure Adding a key recovery agent certificate template to an enterprise CA and select the certificate template that you configured for key archival.

To configure certificate templates for key archival

  1. Start the Certificate Templates snap-in.

  2. Right-click a certificate template, and then click Properties.

  3. On the Request Handling tab, click Archive subject's encryption private key, and then click OK.