Configure the Key Recovery Agent Certificate Template
  • 21 Jul 2023
  • 2 Minutes to read
  • Dark
  • PDF

Configure the Key Recovery Agent Certificate Template

  • Dark
  • PDF

Article summary

Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. Configure your CA to enable key archival, then specify that your certificate templates have key archival enabled.

Configure the Key Recovery Agent Certificate Template

  1. Sign into a certificate authority as a domain administrator or a domain user.
  2. Ensure that the domain user is a member of the Domain Admins or Enterprise Admins Group, and has the rights for Issue and Manage Certificates, Manage CA, and Request Certificates for the CA.
    1. Right-click the CA.
    2. Click Properties.
      The Properties dialog box displays.
    3. Click the Security tab to view the user's privileges.
  3. Open the Server Manager.
  4. To create the Key Recovery Agent certificate template, from the menu, click Tools > Certification Authority.
    2key_escrowThe Certificate Authority screen displays. 
  5. Right-click Certificate Templates and select Manage to see a list of certificate templates. 
  6. Right-click the Key Recovery Agent certificate template and select Duplicate Template.
    The Properties dialog box displays.
  7. Click the Compatibility tab, and keep the default settings:
  8. Click the General tab.
  9. Provide a Template display name and select the Validity Period as required.
  10. Click the Cryptography tab and keep the default settings:
  11. Click the Issuance Requirements tab and uncheck CA certificate manager approval.
    By default, this checkbox is enabled to ensure that the certificate request goes to the CA Pending Requests List. A CA admin would then need to approve the certificate issue manually, and you still would not be able to export the private key. To avoid this, you must uncheck this option so that you can export the private key of the Key Recovery Agent.
  12. Click the Security tab and add the domain user who logged into the server.
  13. Assign the domain user the Read and Enroll permissions. 
  14. Enable the Read permission to the Authenticated Users.
  15. Click Apply and OK to save the template.
    1. Open the Certification Authority snap-in
    2. Right-click Certificate Templates, and select New > Certificate Templates to Issue.
    3. Select the newly-created Key Recovery Agent 2 certificate, and click OK.
    1. Using the Run window, open certmgr.msc.
    2. Right-click Personal. 
    3. Click All Tasks > Request New Certificate.
      The Certificate Enrollment dialog box displays.
    4. Click Next.
      The Certificate Enrollment Policy screen displays.
    5. Click Next
    6. Select the Key Recovery Agent 2 certificate and click Enroll.
    7. Click Finish to complete the enrollment.
    1. Using the Run window, open certmgr.msc.
    2. Right-click Personal > Certificates.
    3. Right-click the CA, and click Properties.
      The Properties window displays. 
    4. Click the Recovery Agents tab. 
    5. Select Archive the key and enter a value for the Number of recovery agents to use.
    6. Click Add and select the issued certificate.
    7. Click OK<.
    8. Click Apply.
    9. Click Yes to restart the AD CS Service.
    10. Once the service is restarted, click OK in the Properties window.
    11. Right-click the CA and select Properties
    12. Click the Recovery Agents tab to see the validated certificate.
      21key_escrowThe Key Recovery Agent certificate template is now created and enrolled, and the CA is configured to use a Key Recovery Agent.
    1. Right-click the Key Management CA template and select Properties.
      The Properties dialog box displays.
    2. On the Request Handling tab, select the Include symmetric algorithms allowed by the subject and Archive subject's encryption private key options. 
    3. If the Microsoft CA is integrated with HSM, configure the Cryptography Provider CategoryKey Management template. 
      1. In the Properties dialog box, click the Cryptography tab .
      2. In the Provider Category, select Legacy Cryptographic Service Provider.24key_escrow
      3. Click Apply, then OK.
        Your changes save.

The Key Recovery Agent private key is now available on the local machine certificate store where the web service is deployed.

Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.