Key archival and recovery

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Key archival and recovery

Windows ServerĀ 2003, Enterprise Edition can be configured to archive the private key of specific certificates when they are issued. This private key archive allows the key to be recovered at a later time if the private key is lost. This process is implemented in two separate phases: key archival and key recovery.

Tip

For updated information, see Active Directory Certificate Services PKI - Key Archival and Management.

Key archival

The process of obtaining a certificate includes the subject locating the appropriate certificate template, gathering the information required by that template, and supplying it to a certification authority. This information normally contains information such as the subject name, public key and supported cryptographic algorithms. When key archival is configured, the subject will also provide their private key to the certification authority. The certification authority stores that private key in its database until you want to perform key recovery.

By default, the private key of issued certificates is not archived. This is because the storage of the private key in multiple locations, by definition, allows more attacks against it. To configure a certification authority to issue certificates with key archival enabled, see Certificate Services example implementation: Key archival and recovery.

Key recovery

Subjects can lose their private key in a variety of ways such as accidental deletion or deliberate misuse. An administrator may also want to recover the key of a particular subject to access data protected by that key. Key recovery can be used whenever the key archival process has stored the subject's private key.

The key recovery process requires an administrator to retrieve the encrypted certificate and private key and then a key recovery agent (KRA) to submit to the certification authority. When a correctly signed key recovery request is received, the subject's certificate and private key are provided to the requestor. The requestor would then use the key as appropriate or securely transfer the key to the subject for continued use. No recertification or rekeying is necessary, as the private key is not necessarily compromised.

For more information, see Manage Key Archival and Recovery.