Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Key Recovery Agent Certificate

Posted on 2011-10-17
Medium Priority
Last Modified: 2012-05-12
I am configuring the Key Archival & Recovery in a Windows 2003 Certificate Authority (Enterprise).  I have submitted the request for the KRA cert and then approved the request from the CA.  However, I can't retrieve the certificate as the Certificate Enrollment wizard doesn't start.  I need help retrieving the cert.

Below are the steps as instructed by Microsoft.

To issue a key recovery agent certificate
1.Start the Certification Authority snap-in and click the Pending Requests folder.

2.Right-click the pending key recovery agent certificate request, click All Tasks, and then click Issue.

The issued certificate is automatically added to the key recovery agent certificate store on the CA and to the KRA object in AD DS.

Next, a KRA completes the procedure to retrieve an issued key recovery agent certificate.

Retrieving an issued key recovery agent certificate
This procedure should be completed by the user that submitted the key recovery agent certificate request, as described in the procedure Requesting a key recovery agent certificate by using the Certificates snap-in.

To retrieve an issued key recovery agent certificate
1.Start the Certificates snap-in.

2.Right-click Certificates – Current User, click All Tasks, and then click Automatically Enroll and Retrieve Certificates to start the Certificate Enrollment wizard.

3.Review the Before You Begin page, and then click Next.

4.On the Request Certificates page, the key recovery agent certificate should display a status message indicating that enrollment is pending. Select the key recovery agent certificate, and then click Enroll.

5.Click Finish to complete the wizard.

By completing these procedures, a key recovery agent certificate has been issued and installed to the user's personal certificates store and is available for key recovery operations.

Question by:AManoux
1 Comment
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 36995484
You can try certreq -retrieve from cmd line:
  CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResp

If you type 'certutil' by itself you will get the 'Config' that you need (CA server FQDN\CAName) if you don't already have it.
If doing this from a box other than the CA (should be on the box you submitted the request from, where the private key is...) then you need to add the option '-config %CA server FQDN\CAName%' that is your "config" value as mentioned above.  You should probably only need just the certfile out (filename.cer).

If that doesn't work, try using the CA console (certsrv.msc) to view the pending request and issue it from there, then just export the certificate and install that on the requesting box.  If is already issued, then just export it.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question