Share via


Identify a Key Recovery Agent

Applies To: Windows 7, Windows SBS 2003, Windows SBS 2008, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1, Windows Vista, Windows XP

A key recovery agent is a person who is authorized to recover a certificate on behalf of an end user. Because the role of key recovery agents can involve sensitive data, only highly trusted individuals should be trusted with this responsibility.

To identify a key recovery agent, you must configure the key recovery agent certificate template to allow the person delegated with this responsibility to enroll for a key recovery agent certificate.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To configure the key recovery agent certificate template

  1. Open the Certificate Templates snap-in.

  2. In the console tree, right-click the key recovery agent certificate template.

  3. Click Duplicate Template.

  4. In the Duplicate Template dialog box, select the Windows 2003 Server, Enterprise Edition check box unless all of your certification authorities (CAs) and client computers are running at least Windows Vista or Windows ServerĀ® 2008.

Note

The selection of the template type is specifying the template version, as opposed to the operating system versions supported. Therefore, selecting Windows 2003 Server, Enterprise Edition means that the template will support issuing certificates to Windows Server 2003 and Windows XP client computers. For additional information, see Certificate Templates Overview(https://technet.microsoft.com/en-us/library/cc730826.aspx)

  1. In Template, type a new template display name, and then modify any other optional properties as needed.

  2. On the Security tab, click Add, type the name of the users you want to issue the key recovery agent certificates to, and then click OK.

  3. Under Group or user names, select the user names that you just added. Under Permissions, select the Read and Enroll check boxes.

Note

To enhance security and control of the key recovery process, it is recommended that autoenrollment not be used for key recovery agent certificates.

  1. Click OK.

Before the new key recovery agent can enroll for a certificate based on the new certificate template that you created, the template must first be added to the CA. For information about how to complete this procedure, see Add a Certificate Template to a Certification Authority.

If the certificate was configured with Read and Enroll permissions, the new key recovery agent must use the Certificates snap-in and the Certificate Import Wizard to obtain a key recovery certificate. If the certificate template was configured with Autoenroll permissions, the certificate will be issued automatically the next time the user logs on to the network.

Note

By default, the CA certificate manager approval check box is selected on the Issuance Requirements tab. Unless you clear this check box, a CA manager must approve the certificate request before a key recovery agent certificate is issued.

The next procedure, Enable Key Archival for a CA, cannot be completed until the key recovery agent has obtained this certificate.

Additional references