Windows 2008 Certificate Services - Key Recovery Agent

compdigit44
compdigit44 used Ask the Experts™
on
I am in the process of planning my roll out of user certificates with auto-enrollment and have the following questions about the Key Recovery Agent.

1) The KRA, can only recovery key to certificates that were issue after the KRA was setup and not ones that were issued before correct?

2) Should the KRA be plublished in AD?

3) Is it ok to use Auto-Enrollment to issue the cert to my security group only?

4) Any special Request Handling setting I should select?

5) When and how woud I use the KRA? I never had to use it before
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
1) The KRA, can only recovery key to certificates that were issue after the KRA was setup and not ones that were issued before correct?
Correct This is for EFS certificates ONLY

2) Should the KRA be plublished in AD?
has to be
3) Is it ok to use Auto-Enrollment to issue the cert to my security group only?
??
4) Any special Request Handling setting I should select?
Not that I'm aware of
5) When and how woud I use the KRA? I never had to use it before
When users lose their private keys, any information that was persistently encrypted with the corresponding public key is no longer accessible. Using key archival and recovery helps protect encrypted data from permanent loss if, for example, an operating system needs to be reinstalled, the user account to which the encryption key was originally issued is no longer available, or the key is otherwise no longer accessible. To help protect private keys, Microsoft enterprise certification authorities (CAs) can archive a user's keys in its database when certificates are issued. These keys are encrypted and stored by the CA.

This private key archive makes it possible for the key to be recovered at a later time. The key recovery process requires an administrator to retrieve the encrypted certificate and private key and then a key recovery agent to decrypt them.
https://technet.microsoft.com/en-us/library/cc770588.aspx
https://technet.microsoft.com/en-us/library/cc730721.aspx

Author

Commented:
Thanks....

So the KRA have no baring on user issued certificates?????

I am confused by your responce to my auto-enrollment questoin
Top Expert 2016

Commented:
please read the reference articles provided.  auto-enrollment depends upon corporate policy and your certificate policy which is really important if you are using pki with other companies
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
If a KRA is set to enroll and not auto-enroll would they be able to recover a Key if they had not request a KRA certificate?
Top Expert 2016

Commented:
Users are not protected by key archival until they have enrolled for a certificate that has key recovery enabled. If they have identical certificates that were issued before key recovery was enabled, they are not covered by key archival. Clients must be re-enrolled to receive a certificate that is based on the changed template if they already have a valid certificate that is based on the old template.

you have to create the EFS template to include KRA using the EFS template.
https://www.youtube.com/watch?v=XCXXNdCgzNk
https://www.youtube.com/watch?v=K_fN9cuqhRc

Author

Commented:
OK got it now.... for the certificates based on the user certificate template, the key recovery agent can or cannot do any thing???
Top Expert 2016

Commented:
the older certificates a KRA can do nothing the data is lost only data encrypted with certificates that have the kra properties is recoverable using a KRA

Author

Commented:
WHen selecting auto-enroll for the KRA I noticed the request still goes to pend and does not automatically issue it.

ALso I still do not see the KRA cert listed in my personal store
Top Expert 2016

Commented:
are you a kra agent? or not?

Author

Commented:
OK... I figure out my problem ... first time user error...

I do see my KRA cert listed under personal now....

ON a domain is the only good per workstation though? Or once the KRA is register on the server it is good domain wide

Author

Commented:
Our Security Dept has been grant the KRA rights. This group has 10 users. I see all of their KRA certs listed under, pending but now see this is going to happen each time they log into a workstation.....So in order to recover a key the KRA cert needs to be present on the workstation???? I know under the properties of the CA i need to go the the REcovery Agents tab and select each cert...

Am I doing everything correct??

Author

Commented:
OK I think I see me problem.. but wanted to run this by the Certificate Experts..

I am using issueing "user" certificates with the signature / encryption usage and not EFS.

A user cert verifies a user is who they said their are and is not really encrypting anything which is why I have problems issues the cert when I select allow archive of private keys.

Does this sound right

Author

Commented:
Here is more information: The user template is set for Windows 2003 and not Windows 2008 and according to the following artricle I should be able to archive the key when the Request Handeling is set to Signature and Encryption yet I am not able to...

https://technet.microsoft.com/en-us/library/cc725621%28v=ws.10%29.aspx

Excerpt from link....

The certificate purpose setting will determine whether key archival can be enabled for a certificate template. Key archival is only possible if the certificate purpose is set to Encryption or Signature and encryption. The recovery of a private key for digitally signing information may result in identity theft and is not supported. Key archival is not supported by most smart card CSPs.
Top Expert 2016

Commented:
if a user right clicks on a file / folder then chooses encrypt they are using the Encrypting File System (EFS)

Author

Commented:
Thank you for the reply...

Here is where I am confused...

User template has been cloned, publishd and user are receiving this when they login which is perfect.. The request handeling is set to signature and Encryption.

We are only use certificate to verify the user identiy. IS a key recovery agent even needed. WHen I enable archive key  it user can not enroll for the cert yet when I remove this check box user can enroll for it
Top Expert 2016

Commented:
you don't need KRA in this scenario.. it is only used for EFS recovery

Author

Commented:
SO I am correct that even though the certificate is set for signature an encryption, the fact it is a user set which is noted in the OID makes private key articling a moto point.

Why is this check box even an option on a user certificate
Top Expert 2016

Commented:
you can remove that option from your template.

Author

Commented:
I undertand you can uncheck it but why is the check box even there
Top Expert 2016
Commented:
archival requires a KRA

Please read these 5 articles .. you can skip to 3 and go on from there
http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx

Author

Commented:
I have read the article you posted and others and have made sure my KRA is setup on my CA the enabled key articla on my user template set for signature and encryption get the following messagte on my CA server....


Active Directory Certificate Services denied request 8685 because The request includes a private key for archival by the server, but key archival is not enabled for the specified certificate template. 0x80094810 (-2146875376).  The request was for Domaine\UserABC.  Additional information: Denied by Policy Module

This is a Windows 2008 CS but the template is based on 2003.

Any thought or suggestions. I even tried changing the template to encryption only and it made no difference
Top Expert 2016

Commented:
1. you have agents (users) with KRA certificates
2. archival has been enabled in the CA

must be chedked to allow KRA

Author

Commented:
Thank you for the reply...

Here are the answers to your questions.
1) I do I have a valid KRA certificate issued of myself and is registered on the CA which the services have been stop and started on multiple times.

2) ON my user template the box to enable archive keys is checked. I have even tried switch the Request handling from Signature / Encryption to Encryption only and got the same results.

Could my versions of the template be an issue since it is based on Windows 2003? Maybe CSP's are missing?

Now do you see why I am so perplexed!!!!!!   :-(


Thanks again for all of your help
Top Expert 2016

Commented:
check the properties of the template.. the 2003 template is to distinguish it from REALLY ancient templates
pictures say a thousand words

Author

Commented:
Thanks I checked my user template again and the archive keys "IS" selected

Author

Commented:
Any thoughts or idea on why this is not working... even though all documentation states that it should
Top Expert 2016

Commented:
did you watch the youtube video's that I mentioned earlier?

Author

Commented:
I have watched the vidoe and read all of the article you posted.

I was able to issue, enroll and register my KRA certificate on my CA. As soon as it enable archive key on my user cert if get the message I post earlier..

I am totally stumped on why this is now working..


My CA is a Windows 2008 R2 Enterprise Edition

Author

Commented:
It turns out  that even though you are prompted to restart the CA services when registering a KRA certificate I had to restart the service via services.msc in order for the registered KRA to show as valid

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial