Configuring the Key Recovery Agent Certificate

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before you configure a key recovery agent certificate, you must decide which users or groups can have Read and Enroll permissions on the key recovery agent certificate template. By default, only an Enterprise Administrator or a Domain Administrator can request a key recovery agent certificate. If you choose to change these defaults, you need to configure the new Read and Enroll permissions on the template itself.

You must configure an enterprise CA to issue key recovery agent certificates.

When you have configured permissions on the key recovery agent template and authorized an enterprise CA to issue key recovery agent certificates, a user with the appropriate permissions can request a key recovery agent certificate.

You must also select an encryption key length for the key recovery agent certificate. An encryption key of 2,048 bits satisfies most security needs. Keys that are 8,192 bits or larger can take the client CSP several hours to generate and can slow down public key operations on the CA when keys are archived.

You must mark the keys as exportable to enable the key recovery agent to export the private keys from the local store of the workstation to a floppy disk or other medium for safe storage. It is also best to protect the key recovery agent certificate private key with a strong password requirement. You can use a smart card as a key recovery agent.

The default key recovery agent certificate template requires manual approval of requests for key recovery agent certificates. It is best if a certificate manager manually approves all key recovery agent certificate requests. The certificate manager might choose to use fewer key recovery agents than the number of available key recovery agent certificates. In this way, no individual key recovery agent can decrypt all the private keys in the CA database. The CA chooses the key recovery agent certificate randomly as a means to ensure that the key recovery agent selection is not predictable.

Several cautions apply to key archiving. First, the default templates in Windows Server 2003 do not allow for key archiving. You must create new version 2 templates, which are available only in Windows Server 2003, Enterprise Edition, to support user enrollment with archiving.

Second, although you can configure the cryptographic service providers that are used for the private keys that are to be archived, you can only archive keys that are generated by means of a Rivest-Shamir-Adleman (RSA)-based CSP. The Digital Signature Standard (DSS) and Diffie-Hellman CSPs are not supported for key archiving.