I am in the process of planning my roll out of user certificates with auto-enrollment and have the following questions about the Key Recovery Agent.
1) The KRA, can only recovery key to certificates that were issue after the KRA was setup and not ones that were issued before correct?
2) Should the KRA be plublished in AD?
3) Is it ok to use Auto-Enrollment to issue the cert to my security group only?
4) Any special Request Handling setting I should select?
5) When and how woud I use the KRA? I never had to use it before