Press "Enter" to skip to content

Building a Certificate Authority in Windows Server 2019 Part 5 – Configure Private Key Archive and Recovery

5.1 Create the Key Recovery Agent Template

The Key Recovery Agent feature of Active Directory Certificate Services allows for the archival of Private Keys that are generated by the Certificate Authority. This is very important if a Certificate is deleted and needs to be restored.

  1. In the Certification Authority Console on the TFS-CA01 Server, ensure that the TFS Labs Enterprise CA Server is expanded in the Console tree.
  2. Right-click on Certificate Templates and then click Manage. The Certificate Templates Console will open and display the Certificate Templates stored in Active Directory.
  3. In the details pane, right-click on the Key Recovery Agent Template and then click Duplicate Template.
  4. On the Properties of New Template window, click on the General tab. Change the name of the template to TFS Labs Key Recovery Agent. Ensure that the Validity Period is set to 1 year.
  5. On the Issuance Requirements tab, uncheck the option for CA certificate manager approval.
  6. On the Security tab verify that Authenticated Users do not have the Enroll or Autoenroll permissions enabled.
  7. On the Security tab select Domain Admins and Enterprise Admins and enable the Enroll permission. Click OK to close the window.
  8. Close the Certificate Templates Console window.
  9. In Certification Authority Console, right-click on Certificate Templates, then select New and then select Certificate Template to Issue.
  10. In the Enable Certificate Templates dialog box, click TFS Labs Key Recovery Agent and then click OK.

5.2 Create the Key Recovery Agent Certificate

Once the Certificate Template has been created it can now be requested for the Domain Administrator account.

  1. On the TFS-CA01 Server, open the Certificates Console (certmgr.msc) under the Current User Account.
  2. Right-Click on the Personal > Certificates folder and select the All Tasks > Request New Certificate option.
  3. On the Before You Begin screen, click the Next button to continue.
  4. On the Select Certificate Enrollment Policy screen, click the Next button to continue.
  5. On the Request Certificates screen, check the box beside the TFS Labs Key Recovery Agent Certificate and click the Enroll button.
  6. On the Certificate Installation Results screen, click the Finish button.

5.3 Configure the Certificate Authority to Allow Key Recovery

The option to Archive Keys that are generated by the Subordinate CA will need to be explicitly activated for it work correctly. This can be configured on the TFS-CA01 Server.

  1. In the Certification Authority Console on the TFS-CA01 Server, ensure that the TFS Labs Enterprise CA Server is expanded in the Console tree.
  2. Right-click on the TFS Labs Enterprise CA Server and select the Properties option.
  3. On the Recovery Agents tab, select the option to Archive the Key. Click the Add… button and select the Key Recovery Agent Certificate that was just requested.
  4. Click the OK button. When prompted to restart Active Directory Certificate Services, click the Yes button.

5.4 Configure the Certificate Template for Archiving Keys

Now that the Key Archive feature has been enabled, the Certificate can now be published to Active Directory and the Certificate Authority.

  1. In the Certification Authority Console on the TFS-CA01 Server, ensure that the TFS Labs Enterprise CA Server is expanded in the Console tree.
  2. Right-click on Certificate Templates and then click Manage. The Certificate Templates Console window will open and display the Certificate Templates that are currently stored in Active Directory.
  3. In the details pane, right-click on the User Template and then click Duplicate Template.
  4. On the Properties of New Template window, click on the General tab. Change the name of the template to TFS Labs Key Archive. Ensure that the Validity Period is set to 1 Year.
  5. On the Subject Name tab, uncheck the options for Include e-mail name in the subject name and the E-mail Name from the Active Directory settings.
  6. On the Request Handling tab, select the option for Archive subject’s encryption private key. When the Changing Key Archival Property box opens, click the OK button to continue.
  7. Click the OK button to close the Template window.
  8. Close the Certificate Templates Console window.
  9. In the Certification Authority Console, right-click on Certificate Templates, then select New and then select Certificate Template to Issue.
  10. In the Enable Certificate Templates dialog box, click the TFS Labs Key Archive option and then click OK.

Certificate Authority in Windows Server 2019

Advertisements

Comments are closed.

%d bloggers like this: