Key Recovery Agent Certificate

Posted on 2011-10-17
Last Modified: 2012-05-12
I am configuring the Key Archival & Recovery in a Windows 2003 Certificate Authority (Enterprise).  I have submitted the request for the KRA cert and then approved the request from the CA.  However, I can't retrieve the certificate as the Certificate Enrollment wizard doesn't start.  I need help retrieving the cert.

Below are the steps as instructed by Microsoft.

To issue a key recovery agent certificate
1.Start the Certification Authority snap-in and click the Pending Requests folder.

2.Right-click the pending key recovery agent certificate request, click All Tasks, and then click Issue.

The issued certificate is automatically added to the key recovery agent certificate store on the CA and to the KRA object in AD DS.

Next, a KRA completes the procedure to retrieve an issued key recovery agent certificate.

Retrieving an issued key recovery agent certificate
This procedure should be completed by the user that submitted the key recovery agent certificate request, as described in the procedure Requesting a key recovery agent certificate by using the Certificates snap-in.

To retrieve an issued key recovery agent certificate
1.Start the Certificates snap-in.

2.Right-click Certificates – Current User, click All Tasks, and then click Automatically Enroll and Retrieve Certificates to start the Certificate Enrollment wizard.

3.Review the Before You Begin page, and then click Next.

4.On the Request Certificates page, the key recovery agent certificate should display a status message indicating that enrollment is pending. Select the key recovery agent certificate, and then click Enroll.

5.Click Finish to complete the wizard.

By completing these procedures, a key recovery agent certificate has been issued and installed to the user's personal certificates store and is available for key recovery operations.

Question by:AManoux
    1 Comment
    LVL 31

    Accepted Solution

    You can try certreq -retrieve from cmd line:
      CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResp

    If you type 'certutil' by itself you will get the 'Config' that you need (CA server FQDN\CAName) if you don't already have it.
    If doing this from a box other than the CA (should be on the box you submitted the request from, where the private key is...) then you need to add the option '-config %CA server FQDN\CAName%' that is your "config" value as mentioned above.  You should probably only need just the certfile out (filename.cer).

    If that doesn't work, try using the CA console (certsrv.msc) to view the pending request and issue it from there, then just export the certificate and install that on the requesting box.  If is already issued, then just export it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now