Configure Automatic Key Archiving in Certificate services| key recovery agent

CA is used for issuing the certificates base on certificate templates. Certificate template defines what is in a certificate, what type of encryption is used, what is key length, what type of technology (MD5, SHA etc) is used.

When you are using certificate services then it is important to configure the key recovery agent so that if you clients are using certificates and encrypting data with certificates, then in case of lose of private key you are able to recover their data, for example an OS needs to be reinstalled or in case user profile get corrupt and encryption key issued by CA is no longer available.

Microsoft enterprise certification authorities (CAs) can archive a user’s keys in its database when certificates are issued. CA is responsible for encrypting and storing keys.

Automatic Key Archiving:

Key archival and recovery are not enabled by default. This is because storage of private key in multiple places can cause a security weakness. But using CA you can made decision about which certificates are covered by key archival.

Here I will show you how to perform the automatic key archiving on windows server 2008, and I shall use the following three machines for this task.

  1. Domain controller:
  2. CA Server: ( having AD certificate services installed on it and this will issue the certificates in our case. You can learn more about installing Certificate services.
  3. W7-client:  ( where we shall enroll the certificate



For enabling automatic key archival you must have a CA administrator and you can complete this task with following steps:

  1. Create a key recovery agent account
  2. Configure the key recovery agent certificate template
  3. Register the new key recovery agent
  4. Enroll the Certificate

Create a Key Recovery Agent Account (KRA):

A key recovery agent is an individual who is allowed to recover a certificate. The key recovery is sensitive task and should be only assigned to highly trusted persons. Simply create a new account for key recovery agent or you can use the existing account for Key Recovery agent. You can learn more about creating user in active directory. I have created a user recoveragent for this purpose in active directory.

Configure the key recovery agent certificate template:

For configuring the key recovery agent certificate template open certificate template from Active directory certificate services. Create a duplicate template of Key Recovery agent template you can use the existing original key recovery agent. For creating duplicate right click on key recovery agent, click on Duplicate template and then I am selecting “Server 2008 enterprise” since I shall use this for windows 7 clients.

creating duplicate certificate templete in AD

Type the name of certificate, and add the key recovery agent user as recovery agent from security tab and assign enroll and auto-enroll rights, in my case this user is recoveryagent.

key recovery agent user


Register the new key recovery agent:

Once you have configured the key recovery agent you need to add this template for your active directory certificate templates. Right click on Certificate Templates from domain controller tab (in my case it is w7cloud-CA) and click on newcertificate template to issue and add the certificate you have create in above step, in my case it was “Recovery Agent-w7cloud”.

Issue certificate to active directory

After completing above step now we need to enable the auto-enrollment from group policy. For this I have created a new group policy object with named “Group policy for recovery Agent”.

new group policy for recovery agent

Right Click on newly created group policy and click on edit which open the Group Policy management console then for enabling auto-enrollment go to user configurationpolicieswindows settingssecurity settingsPublic key policies and then click “Certificate Services Client-Auto Enrollment” Enable this Object and checked all check boxes. Run the gpupdate command for updating group policy.

Certificate Services-Auto Enrillment

Enroll the Certificate:

For enrollment of key recovery agent you need to login on the client where you want to enroll the certificate with recover agent user having enroll rights. I have Login to w7-client for enrollment of certificate with key recovery agent user recoveryagent. And open the Microsoft management console by typing the MMC in run, add the certificate snap-in from “fileadd and remove snap-in”.

Add certificate snapin in client

Right click in console and then all tasksrequest a new certificate. Select the certificate you want to enroll in our case this will be the

enroll certificate

Select your certificate policy that is active directory enrollment policy in our case, click on next.

Select your issued certificate-AD ca

And then select your certificate that we have created on our CA.

Note: you may not find this certificate on your first attempt then try restarting you client, also running gpupdate command on your server.

Select certificate recovery agent

Now again to your CA, from CA role go to active directory pending Request for certificate you will find the a request from you w7-client. Right click on the request select issue from All tasks.

pending requests in CA

Now again back to your client w7-client, open same MMC console where in last step we have added the certificate snip-in. you will find the your issued certificate from under the personal and certificate folder.

Note: If you don’t find any certificate folder in your MMC after trying all above step then please try following tips.

  • Restart the your client machine
  • Run the command GPUPDATE
  • Run the command certutil –pulse in administrator command prompt

Leave a Reply

Your email address will not be published. Required fields are marked *