Key Recovery Agent Certificate

I am configuring the Key Archival & Recovery in a Windows 2003 Certificate Authority (Enterprise).  I have submitted the request for the KRA cert and then approved the request from the CA.  However, I can't retrieve the certificate as the Certificate Enrollment wizard doesn't start.  I need help retrieving the cert.

Below are the steps as instructed by Microsoft.
http://technet.microsoft.com/en-us/library/ee449464(WS.10).aspx#BKMK_AddKRATemplate
____________________________________

To issue a key recovery agent certificate
1.Start the Certification Authority snap-in and click the Pending Requests folder.

2.Right-click the pending key recovery agent certificate request, click All Tasks, and then click Issue.

The issued certificate is automatically added to the key recovery agent certificate store on the CA and to the KRA object in AD DS.

Next, a KRA completes the procedure to retrieve an issued key recovery agent certificate.

Retrieving an issued key recovery agent certificate
This procedure should be completed by the user that submitted the key recovery agent certificate request, as described in the procedure Requesting a key recovery agent certificate by using the Certificates snap-in.

To retrieve an issued key recovery agent certificate
1.Start the Certificates snap-in.

2.Right-click Certificates – Current User, click All Tasks, and then click Automatically Enroll and Retrieve Certificates to start the Certificate Enrollment wizard.

3.Review the Before You Begin page, and then click Next.

4.On the Request Certificates page, the key recovery agent certificate should display a status message indicating that enrollment is pending. Select the key recovery agent certificate, and then click Enroll.

5.Click Finish to complete the wizard.

By completing these procedures, a key recovery agent certificate has been issued and installed to the user's personal certificates store and is available for key recovery operations.

LVL 1
AManouxAsked:
Who is Participating?
 
ParanormasticCryptographic EngineerCommented:
You can try certreq -retrieve from cmd line:
  CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResp
onseFileOut]]]

If you type 'certutil' by itself you will get the 'Config' that you need (CA server FQDN\CAName) if you don't already have it.
If doing this from a box other than the CA (should be on the box you submitted the request from, where the private key is...) then you need to add the option '-config %CA server FQDN\CAName%' that is your "config" value as mentioned above.  You should probably only need just the certfile out (filename.cer).

If that doesn't work, try using the CA console (certsrv.msc) to view the pending request and issue it from there, then just export the certificate and install that on the requesting box.  If is already issued, then just export it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.