Q: How do I enable key archival in Active Directory Certificate Services?
A: The private key is critical for any certificate; although it's possible to back up the private key, another option is for the Certificate Authority (CA) to archive the private key in the CA database, which can then be recovered if necessary. To perform this task, you need to follow several steps.
- A Key Recovery Agent certificate is required for one or more administrators. This requires making the Key Recovery Agent certificate template available. Open the Microsoft Management Console (MMC) Certificate Authority snap-in, right-click Certificate Templates, and select Manage.
- Open the properties of the Key Recovery Agent template. In my example, I'll disable the need for the Key Recovery Agent to be approved by deselecting CA certificate manager approval under the Issuance Requirements tab. Under the Security tab you'll see that by default only domain admins and enterprise admins have the permissions to enroll for the certificate. Click OK and close the Certificate Templates Console.
- As an administrator, you should now request a Key Recovery Certificate via the MMC Certificates snap-in, which will show in your Personal Certificates store.
- In the Certificate Authority snap-in, right-click the CA and select Properties.
- In the Recovery Agents tab, change the option to Archive the key and select Add for recovery agents. Select the certificate for the administrator, then click Apply for the change to take effect. Click OK.
Certificate templates need to be enabled to archive the private key. Select Certificate Templates and click Manage. Select the certificate template to enable archival for and select Properties. Select the Request Handling tab and select Archive subject's encryption private key, as the following figure shows. Click OK.
New certificates generated from the template will now have the key archived, which will show under Issued Certificates when you add the Archived Key column (View, Add/Remove Columns).