Building a Certificate Authority in Windows Server 2019 Part 5 - Private Key Archive and Recovery

calendar Monday, March 9, 2020 · 5 min read · ADCS Guides Microsoft Windows  ·
Share: copy
Practical Guide to PKI with Windows Server - First Edition

Now available for purchase, a complete book version of this guide. Includes an expanded version of this guide which includes over 300 screenshots, CLI configuration commands, quick start guide, additional details and more.

Note: This guide is archived and is no longer updated on this website. For any future updates to this guide, please refer to the version that can be found on docs.mjcb.io.

Table Of Contents

5.1 Create the Key Recovery Agent Template

The Key Recovery Agent feature of Active Directory Certificate Services allows for the archival of Private Keys that are generated by the Certificate Authority. This is very important if a Certificate is deleted and needs to be restored.

  1. In the Certification Authority Console on the TFS-CA01 Server, ensure that the TFS Labs Enterprise CA Server is expanded in the Console tree.
  2. Right-click on Certificate Templates and then click Manage. The Certificate Templates Console will open and display the Certificate Templates stored in Active Directory.
  3. In the details pane, right-click on the Key Recovery Agent Template and then click Duplicate Template.
  4. On the Properties of New Template window, click on the General tab. Change the name of the template to TFS Labs Key Recovery Agent. Ensure that the Validity Period is set to 1 year.
  5. On the Issuance Requirements tab, uncheck the option for CA certificate manager approval.
  6. On the Security tab verify that Authenticated Users do not have the Enroll or Autoenroll permissions enabled.
  7. On the Security tab select Domain Admins and Enterprise Admins and enable the Enroll permission. Click OK to close the window.
  8. Close the Certificate Templates Console window.
  9. In Certification Authority Console, right-click on Certificate Templates, then select New and then select Certificate Template to Issue.
  10. In the Enable Certificate Templates dialog box, click TFS Labs Key Recovery Agent and then click OK.

5.2 Create the Key Recovery Agent Certificate

Once the Certificate Template has been created it can now be requested for the Domain Administrator account.

  1. On the TFS-CA01 Server, open the Certificates Console (certmgr.msc) under the Current User Account.
  2. Right-Click on the Personal > Certificates folder and select the All Tasks > Request New Certificate option.
  3. On the Before You Begin screen, click the Next button to continue.
  4. On the Select Certificate Enrollment Policy screen, click the Next button to continue.
  5. On the Request Certificates screen, check the box beside the TFS Labs Key Recovery Agent Certificate and click the Enroll button.
  6. On the Certificate Installation Results screen, click the Finish button.

5.3 Configure the Certificate Authority to Allow Key Recovery

The option to Archive Keys that are generated by the Subordinate CA will need to be explicitly activated for it work correctly. This can be configured on the TFS-CA01 Server.

  1. In the Certification Authority Console on the TFS-CA01 Server, ensure that the TFS Labs Enterprise CA Server is expanded in the Console tree.
  2. Right-click on the TFS Labs Enterprise CA Server and select the Properties option.
  3. On the Recovery Agents tab, select the option to Archive the Key. Click the Add… button and select the Key Recovery Agent Certificate that was just requested.
  4. Click the OK button. When prompted to restart Active Directory Certificate Services, click the Yes button.

5.4 Configure the Certificate Template for Archiving Keys

Now that the Key Archive feature has been enabled, the Certificate can now be published to Active Directory and the Certificate Authority.

  1. In the Certification Authority Console on the TFS-CA01 Server, ensure that the TFS Labs Enterprise CA Server is expanded in the Console tree.
  2. Right-click on Certificate Templates and then click Manage. The Certificate Templates Console window will open and display the Certificate Templates that are currently stored in Active Directory.
  3. In the details pane, right-click on the User Template and then click Duplicate Template.
  4. On the Properties of New Template window, click on the General tab. Change the name of the template to TFS Labs Key Archive. Ensure that the Validity Period is set to 1 Year.
  5. On the Subject Name tab, uncheck the options for Include e-mail name in the subject name and the E-mail Name from the Active Directory settings.
  6. On the Request Handling tab, select the option for Archive subject’s encryption private key. When the Changing Key Archival Property box opens, click the OK button to continue.
  7. Click the OK button to close the Template window.
  8. Close the Certificate Templates Console window.
  9. In the Certification Authority Console, right-click on Certificate Templates, then select New and then select Certificate Template to Issue.
  10. In the Enable Certificate Templates dialog box, click the TFS Labs Key Archive option and then click OK.

Certificate Authority in Windows Server 2019

This site uses cookies. By continuing to use this website you agree to their use. To find out more about how this site uses cookies, including how to control cookies used for this website, please review the Privacy Policy and Cookie Policy.