Windows 2008 Certificate Services - Key Recovery Agent

1) The KRA, can only recovery key to certificates that were issue after the KRA was setup and not ones that were issued before correct?
Correct This is for EFS certificates ONLY

2) Should the KRA be plublished in AD?
has to be
3) Is it ok to use Auto-Enrollment to issue the cert to my security group only?
??
4) Any special Request Handling setting I should select?
Not that I'm aware of
5) When and how woud I use the KRA? I never had to use it before

When users lose their private keys, any information that was persistently encrypted with the corresponding public key is no longer accessible. Using key archival and recovery helps protect encrypted data from permanent loss if, for example, an operating system needs to be reinstalled, the user account to which the encryption key was originally issued is no longer available, or the key is otherwise no longer accessible. To help protect private keys, Microsoft enterprise certification authorities (CAs) can archive a user's keys in its database when certificates are issued. These keys are encrypted and stored by the CA.

This private key archive makes it possible for the key to be recovered at a later time. The key recovery process requires an administrator to retrieve the encrypted certificate and private key and then a key recovery agent to decrypt them.

https://technet.microsoft.com/en-us/library/cc770588.aspx
https://technet.microsoft.com/en-us/library/cc730721.aspx

Thanks....

So the KRA have no baring on user issued certificates?????

I am confused by your responce to my auto-enrollment questoin

please read the reference articles provided.  auto-enrollment depends upon corporate policy and your certificate policy which is really important if you are using pki with other companies

If a KRA is set to enroll and not auto-enroll would they be able to recover a Key if they had not request a KRA certificate?

Users are not protected by key archival until they have enrolled for a certificate that has key recovery enabled. If they have identical certificates that were issued before key recovery was enabled, they are not covered by key archival. Clients must be re-enrolled to receive a certificate that is based on the changed template if they already have a valid certificate that is based on the old template.

you have to create the EFS template to include KRA using the EFS template.
https://www.youtube.com/watch?v=XCXXNdCgzNk
https://www.youtube.com/watch?v=K_fN9cuqhRc

OK got it now.... for the certificates based on the user certificate template, the key recovery agent can or cannot do any thing???

the older certificates a KRA can do nothing the data is lost only data encrypted with certificates that have the kra properties is recoverable using a KRA

WHen selecting auto-enroll for the KRA I noticed the request still goes to pend and does not automatically issue it.

ALso I still do not see the KRA cert listed in my personal store

are you a kra agent? or not?

OK... I figure out my problem ... first time user error...

I do see my KRA cert listed under personal now....

ON a domain is the only good per workstation though? Or once the KRA is register on the server it is good domain wide

Our Security Dept has been grant the KRA rights. This group has 10 users. I see all of their KRA certs listed under, pending but now see this is going to happen each time they log into a workstation.....So in order to recover a key the KRA cert needs to be present on the workstation???? I know under the properties of the CA i need to go the the REcovery Agents tab and select each cert...

Am I doing everything correct??

OK I think I see me problem.. but wanted to run this by the Certificate Experts..

I am using issueing "user" certificates with the signature / encryption usage and not EFS.

A user cert verifies a user is who they said their are and is not really encrypting anything which is why I have problems issues the cert when I select allow archive of private keys.

Does this sound right

Here is more information: The user template is set for Windows 2003 and not Windows 2008 and according to the following artricle I should be able to archive the key when the Request Handeling is set to Signature and Encryption yet I am not able to...

https://technet.microsoft.com/en-us/library/cc725621%28v=ws.10%29.aspx

Excerpt from link....

The certificate purpose setting will determine whether key archival can be enabled for a certificate template. Key archival is only possible if the certificate purpose is set to Encryption or Signature and encryption. The recovery of a private key for digitally signing information may result in identity theft and is not supported. Key archival is not supported by most smart card CSPs.

if a user right clicks on a file / folder then chooses encrypt they are using the Encrypting File System (EFS)

Thank you for the reply...

Here is where I am confused...

User template has been cloned, publishd and user are receiving this when they login which is perfect.. The request handeling is set to signature and Encryption.

We are only use certificate to verify the user identiy. IS a key recovery agent even needed. WHen I enable archive key  it user can not enroll for the cert yet when I remove this check box user can enroll for it

you don't need KRA in this scenario.. it is only used for EFS recovery

SO I am correct that even though the certificate is set for signature an encryption, the fact it is a user set which is noted in the OID makes private key articling a moto point.

Why is this check box even an option on a user certificate

you can remove that option from your template.

I undertand you can uncheck it but why is the check box even there

I have read the article you posted and others and have made sure my KRA is setup on my CA the enabled key articla on my user template set for signature and encryption get the following messagte on my CA server....


Active Directory Certificate Services denied request 8685 because The request includes a private key for archival by the server, but key archival is not enabled for the specified certificate template. 0x80094810 (-2146875376).  The request was for Domaine\UserABC.  Additional information: Denied by Policy Module

This is a Windows 2008 CS but the template is based on 2003.

Any thought or suggestions. I even tried changing the template to encryption only and it made no difference

1. you have agents (users) with KRA certificates
2. archival has been enabled in the CA

Thank you for the reply...

Here are the answers to your questions.
1) I do I have a valid KRA certificate issued of myself and is registered on the CA which the services have been stop and started on multiple times.

2) ON my user template the box to enable archive keys is checked. I have even tried switch the Request handling from Signature / Encryption to Encryption only and got the same results.

Could my versions of the template be an issue since it is based on Windows 2003? Maybe CSP's are missing?

Now do you see why I am so perplexed!!!!!!   :-(


Thanks again for all of your help

check the properties of the template.. the 2003 template is to distinguish it from REALLY ancient templates
pictures say a thousand words

Thanks I checked my user template again and the archive keys "IS" selected

Any thoughts or idea on why this is not working... even though all documentation states that it should

did you watch the youtube video's that I mentioned earlier?

I have watched the vidoe and read all of the article you posted.

I was able to issue, enroll and register my KRA certificate on my CA. As soon as it enable archive key on my user cert if get the message I post earlier..

I am totally stumped on why this is now working..


My CA is a Windows 2008 R2 Enterprise Edition

It turns out  that even though you are prompted to restart the CA services when registering a KRA certificate I had to restart the service via services.msc in order for the registered KRA to show as valid