Enable Key Archival for a CA
Applies To: Windows Server 2008 R2
Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled for the key recovery certificate and be registered as the recovery agent for the certification authority (CA).
You must be a CA administrator to complete this procedure. For more information, see Implement Role-Based Administration.
To enable key archival for a CA
Open the Certification Authority snap-in.
In the console tree, click the name of the CA.
On the Action menu, click Properties.
Click the Recovery Agents tab, and then click Archive the key.
In Number of recovery agents to use, type the number of key recovery agents that will be used to encrypt the archived key.
The Number of recovery agents to use must be between one and the number of key recovery agent certificates that have been configured.
Click Add. Then, in Key Recovery Agent Selection, click the key recovery certificates that are displayed, and click OK.
The certificates should appear in the Key recovery agent certificates list, but their status is listed as Not loaded.
Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status of the certificates should be listed as Valid.
The list of Key recovery agent certificates can include the status values and causes in the following table.
| Status | Cause |
|---|---|
Expired |
The certificate's expiration date has passed, so the certificate cannot be used. |
Invalid |
The certificate may be malformed or causes an error when loading. |
Not found |
The certificate was configured but cannot be located by the CA. |
Not loaded |
The certificate was configured but has not yet been loaded by the CA. |
Revoked |
The certificate has been revoked and cannot be used. |
Untrusted |
The root CA for this certificate is not trusted by the CA. |
Valid |
The certificate has been loaded by the CA and is operating normally. |
If the Number of recovery agents to use value exceeds the number of recovery agent certificates with the status of Valid, enrollment requests that require key archival will fail.