Understanding Manual Key Archival
Updated: December 6, 2004
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Manual key archival is supported on the Windows Server 2003 CA as a separate operation from enrollment while still offering centralized key archival. Users may export their private keys into *.pfx files [Public Key Certificate Standard (PKCS) #12 format] or through Outlook into the *.epf format. The following section describes the procedure to export private keys manually from a Windows client so that they may be manually archived on the CA. This is especially useful for users who have enrolled with third-party CAs that do not support key archival.
Exporting Keys and Certificates
Keys and certificates may be exported on Windows clients by one of two methods.
PKCS #12 (*.pfx file) export from the Certificates MMC snap-in on Windows 2000 or Windows Server 2003
*.epf file format from the Outlook 2000 or Outlook 2002 client
If a user has enrolled for Exchange Advanced Security with version 1 certificates (first offered with Exchange 5.0 Key Management Server), direct export from Outlook into the *.epf file format will be necessary. X.509 version 1 certificates and keys may not be exported into PKCS #12 format on the Windows client.
If only X.509 version 3 certificates have been used, the PKCS #12 format may be used.
Exporting Keys from the MMC
To export the certificate and private key while logged in as the user
Click the Start button, and then click Run.
Type mmc.exe and press Enter.
An empty MMC shell appears.
Select the Console menu, and then select Add/Remove Snap-in.
A dialog box appears with a list of all the snap-ins that have been added to this MMC shell.
A list appears with all the registered snap-ins on the current machine.
Click the Certificates snap-in and click Add, choose My User Account, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close. In the Add/Remove Snap-in dialog box, click OK.
The MMC now contains the personal certificate store for the currently logged-on user.
Expand the tree view of the certificate store. Click through Certificates - Current User, Personal, and then Certificates. When you click the Certificates folder on the left, the right-hand pane will display a list of all the certificates for the currently logged on user.
Right-click the certificate intended for export.
Choose All Tasks, and then Export on the Context menu.
A wizard will guide you through the export process.
Click Yes, export the private key, and then click Next.
When exporting a private key, the *.pfx file format is used. The *.pfx file format is based on the PKCS #12, which is used to specify a portable format for storing or transporting a user's private keys, certificates, and miscellaneous secrets. For more information about the PKCS #12, see Appendix B: Additional Information.
Select the appropriate check boxes, and then click Next.
As a best practice, strong private key protection should also be used as an extra level of security on the private key when exporting. The private key should be deleted only if you are performing archival and will no longer use the key on that machine.
The *.pfx file format (PKCS #12) allows a password to protect the private key stored in the file. Choose a strong password, and then click Next.
The last step is to save the actual *.pfx file. The certificate and private key can be exported to any writeable device, including a network drive or disk. After typing or browsing for a file name and path, click Next.
Once the *.pfx file and private key have been exported, the file should be secured on a stable media and transferred in a secure manner to the CA on which the key will be imported in accordance with the organization’s security guidelines and practices.
Exporting Keys from Outlook
To export a key from Outlook
In Outlook, click the Tools menu, and then select Options. Click the Security tab, and then click Import/Export (Figure 3).
Figure 3: Outlook Security Options
Click Export your Digital ID to a file, and then complete the Filename, Password, and Confirm (password confirmation) text boxes (Figure 4).
Figure 4: Outlook Import/Export Digital ID Options
Copy this file to a location accessible by the server or manually transport it using a disk.
Importing a Key Manually on a CA
To import a key manually on a CA
On the certificate server, open a command prompt window, and run the following command.
C:\CertUtil.exe –f –importKMS <name of file>
|The –f flag is required when the key and certificate pair have not been issued from the CA in question.|
The file may be in one of three formats.
KMS export file
PKCS #12 format (*.pfx file)
Outlook export format (*.epf)
|The previous command will work only after the CA was configured for key archival. For more information about the actions required for enabling key archival, see Implementing Key Archival Walkthrough.|