By default, when your authority issues certificates to your servers, computers, and users, the private key associated with the issued certificate is only stored in the local store of that server, computer, or user.
The problem is that the day the server or computer with this certificate goes down, you will no longer be able to access the associated private key.
To avoid this problem, you can enable private key archival on your CA.
Then, one or more recovery agents that you designate beforehand will be able to recover the private keys archived on your certification authority to recover the desired certificate in ".pfx" format (public key + private key). This will then allow you to restore the original certificate and associated private key to the affected server, computer, or user certificate store.
Warning : the activation of certificate archiving is not retroactive. Additionally, certificate archiving must be enabled on your CA, as well as in the desired certificate template for the desired certificates to be archived.
To avoid losing the private key associated with a certificate issued to a server, computer, or user, you can enable certificate archival.
The advantage being that the certificates are completely archived (including the private key associated with each of them).
When certificate archival is enabled :
Since the private key must remain secret (for security reasons), by default, only the recipient (server, computer or user) has the private key associated with their personal certificate.
For security reasons, you will therefore need to designate 1 or ideally at least 2 users as key recovery agents.
Users designated as key recovery agents will be able to recover certificates and associated private keys for certificates that were archived after private key archival was enabled and that were referenced as a recovery agent in the properties of your certificate authority.
Note : the recovery agent set to a certificate authority has nothing to do with the EFS recovery agent which concerns the recovery of encrypted data via the EFS file system.
For this tutorial, we have created a new user "IWAgentRecup" which is a simple user.
As you can see, this "IWAgentRecup" user is a simple user who is a member of the "Domain Users" group (which is the case by default).
In order for your future recovery agent to be able to access the thumbprints of the issued certificates and the associated private keys, you must grant them the necessary permissions on your certificate authority.
To do this, log on to your server acting as a certification authority as a domain administrator (for example) and open the "Certification Authority" console.
Then, right-click "Properties" on the name of your CA.
As you can see, by default, local administrators (Administrators) and Active Directory domain administrators (Domain Admins) have the right to issue and manage certificates, as well as manage the CA.
If you have created specific users (as is the case in this tutorial), you must add them here by clicking on : Add.
Provide the name of the recovery agent you want to allow access to your CA and click OK.
After the recovery agent is added, grant it permissions :
In order for the newly created user to be able to recover the private keys associated with archived certificates, he must first have a key recovery agent certificate.
To do this, right-click "Manage" on the "Certificate Templates" folder.
Right-click "Duplicate Template" on the "Key Recovery Agent" certificate template.
Warning : don't be mistaken with the other model of certificate named "EFS Recovery Agent" which has nothing to do and which concerns the recovery of files encrypted via the EFS file system.
By default, this certificate template is compatible since Windows Server 2003.
Select "Windows Server 2012" for these 2 compatibility settings.
In the "General" tab, specify "Key Recovery Agent v2" (for example) as the full model name.
In the "Security" tab, by default, you will see that domain admins can enroll a recovery agent certificate (and therefore become one).
If you have created a new user that you want to use as a recovery agent, you will need to add it to the list by clicking on : Add.
Specify the name of your future recovery agent (in our case : IWAgentRecup), then click OK.
This user appears in the list.
Grant it "Read" and "Write" rights.
In the "Request Handling" tab, ensure that the "Allow private key to be exported" box is checked so that your recovery agents can manually export their own certificates in ".pfx" format from their store "Personal" certificates.
This is because recovery agent certificates are not archived.
In the "Issuance Requirements" tab, you will see that by default, the "CA certificate manager approval" box is checked.
This means that when your user requests his recovery agent certificate, the administrator must manually validate the certificate request from the "Certification Authority" console.
The new "Key Recovery Agent v2" certificate template has been created.
As usual, once the new certificate template has been created, right-click "New -> Certificate Template to Issue" on the "Certificate Templates" folder.
Select the "Key Recovery Agent v2" certificate template you just created and click OK.
The new certificate template to be issued appears.
Windows Server 12/29/2023
Windows Server 1/12/2024
Windows Server 10/6/2023
Windows Server 10/20/2023
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.