Requesting the Key Recovery Agent Certificate
- Create an active directory group (Security domain local) named (Key recovery agents CA Name )
- Create a user account named KRA1_CA_Name and add the user to the previously created group.
- Log on to the CA server with CA administrator account and add the certificates templates snap-in.
- Adjust the Key recovery agent certificate template to allow the(Key recovery agents CA Name ) group both read and enroll permissions.
- Log on to a windows machine with KRA1_CA_Name user account and type http://CAName/certsrv on an internet explorer. On the Welcome page, click the Request a Certificate link.
- On the Advanced Certificate Request page, click the Create and Submit a Request to this CA link.
- On the Advanced Certificate Request page, in the Certificate Template dropdown list, select Key Recovery Agent. On the Advanced Certificate Request page, in the Friendly Name box, type Key Recovery Agent, and click Submit.
- On the Certificate Pending page, ensure that the Web page states that the request ID is in a pending state.
- Close Internet Explorer.
Issuing the Key Recovery Agent Certificate
Once the certificate request is pending, the key recovery agent must have his or her identity validated by a certificate manager.
- Log on to the issuing CA as a user assigned the Issue and Manage Certificates permission.
- Open the Certification Authority console. Expand the certification authority name and click Pending Requests.
- Ensure that the Key Recovery Agent certificate requestor has met the defined certificate policy, right-click the pending certificate request in the details pane, point to All Tasks, and click Issue. Close the Certification Authority console.
This process must be repeated for all pending Key Recovery Agent certificates .When the certificate is issued, the CA publishes the certificate to the CN=KRA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain container inside the CA object name. Publication in this container allows the Key Recovery Agent certificate to be added to the configuration of an enterprise CA in the forest, enabling key archival.
Installing and Exporting the Key Recovery Agent Certificate
Once a certificate is issued, the Key Recovery Agent certificate requestor can complete the installation by performing the following process:
- Log on to the same windows machine using the account KRA1_CA_NAME. Open Internet Explorer at the same computer where the original request was submitted.
- In Internet Explorer, open the URL http://CertSrvDNS/certsrv.On the Welcome page, click the View the Status of a Pending Certificate Request link.
- On the View the Status of a Pending Certificate Request page, click the Key Recovery Agent Certificate (Date and Time) link. On the Certificate Issued page, click the Install this Certificate link.
- In the Potential Scripting Violation dialog box, accept that the Web site is adding a certificate to your computer by clicking Yes.
- Ensure that the Certificate Installed page appears, indicating that the certificate has been installed successfully. Close Internet Explorer.
Exporting the certificate and private key
Once you successfully enroll the Key Recovery Agent certificate, it is recommended that you export the certificate and private key to a PKCS #12 file and remove the key material from the hard drive of the computer where the request was performed. This process allows key recovery to take place at any computer where the private key is imported. It also ensures that the private key no longer remains on the computer where the request was performed.
Note: On the Export File Format page, click Personal Information Exchange—PKCS #12 and enable the following check boxes:
- Include all certificates in the certification path, if possible
- Enable strong protection
- Delete the private key if the export is successful
Enabling a CA for Key Archival
The following procedure enables key archival at an enterprise CA:
- Log on at the enterprise CA as a user assigned the Manage CA permissions (known as a CA Admin).
- On the Start menu, click Administrative Tools and click Certification Authority.
- In the console tree, right-click the CA name and click Properties.
- In the CA name Properties dialog box, click the Recovery Agents tab.
- On the Recovery Agents tab, click Archive the Key; in the Number of Recovery Agents to Use box, type 1; and click the Add button.
- In the Key Recovery Agent Selection dialog box, select the one or more Key Recovery Agent certificates and click OK.
- In the CA name Properties dialog box, click Apply. When you click the Apply button, the CA performs a certificate validation test against each designated Key Recovery Agent certificate. If any certificate fails the validation test, the failure is designated once you restart Certificate Services.
- In the Certification Authority dialog box, click Yes to restart certificate services.
- On the Recovery Agents tab, ensure each added Key Recovery Agent certificate’s status is reported as Valid and click OK. You might have to close and reopen the CA Name Properties dialog box to see the change in certificate status.
The CA is enabled for key archival and can now issue certificates based on certificate templates that enable key archival.
Enabling Key Archival in a Certificate Template
Once the CA is enabled for archival, you can create and publish certificate templates that enable key archival. To enable key archival in a certificate template, the first thing that you must do is set the purpose of the certificate template to either Encryption or Signature and Encryption. Key archival is only possible for certificate templates with these purposes. In fact, if the certificate template’s purpose is Signature or Signature and Smart Card Log xpon, it is not possible to enable key archival for the certificate template. Once you define the purpose of the certificate template as Encryption or Signature and Encryption, the following properties must be configured on the Request Handling tab of the certificate template:
- Archive subject’s encryption private key. Enable this check box.
- Allow private key to be exported. Enable this option if you want to allow manual export of the certificate’s private key by the holder of the private key. This option is also required if the certificate will be requested by Windows 2000 clients by using the Certificate Services Web Enrollment pages.
- CSP. Select a CSP that enables key export. For example, a smart card CSP might not allow key export and archival.
Performing Key Recovery
Just a quick reminder of the content of the portion of the CA database used for key archival. This portion contains what is called as BLOBs. A BLOG is a combination of the user private key encrypted with a random symmetric key + the symmetric keys themselves encrypted with the public key of one or more KRA.
Key recovery can be performed from the command line using the certutil.exe utility [or from the GUI using the Key Recovery tool (krt.exe) from the Windows Server 2003 Resource Kit]. I prefer the certutil option.
The certutil.exe command is used by both the certificate manager and the key recovery agent when key recovery is performed from the command line.
- The certificate manager first determines the serial number of the affected certificate by viewing the properties of the certificate in the Certification Authority console.
- Once the serial number is known, the certificate manager can extract the encrypted BLOB file by running certutil –getkey SearchToken OutputBlob in a Command Prompt window at the CA.
- The SearchToken can be the serial number of the certificate, the Common Name of the certificate, the Thumbprint of the certificate, the certificate requestor’s user account name (domain\username),or the requestor’s User Principal Name (UPN) (email@example.com). The OutputBlob is a file name for the output file.
- The key recovery agent can then log on and use the certutil –recoverkey OutputBlob PKCS#12File command to recover the private key from the BLOB file into a PKCS #12 file. This process defines the file name and sets a password on the PKCS #12 file.
- Now the resulting PKCS#12 file can be transported to the user and then imported by the user at his or her computer, allowing access to the private key at the computer.