Saturday, 4 March 2017

Enable key archival in Server 2012 R2

Overview

So, you get an escalated call from the helpdesk saying someone’s lost their private key. So, we only had one copy of that. Now what?
Well, here’s where key archival comes into play. You configure your CA to enable key archival and then you specify that your certificate templates have key archival enabled and now your private keys are copied to your CA so you can recover them when needed!

How to enable key archival

Identify a user to serve as the key recovery agent. In this case, we'll use the account LITWARE\Administrator.

Open your Certification Authority snap-in, right click Certificate Templates and click Manage. You now see a list of certificate templates:

clip_image001[6]

Duplicate the Key Recovery Agent certificate template and give it a name: Key Recovery Agent 2

clip_image002[6]

Configure the key recovery agent certificate template with Read and Enroll permissions for the key recovery agent (LITWARE\Administrator). You do this on the Security tab:

clip_image003[6]

Now we need to configure the CA to use issue the new certificate template. Right click Certificate Templates, click New then click Certificate Templates to Issue

clip_image004[6]

Select your new Key Recovery Agent 2 certificate and click OK

clip_image005[6]

Now we need to enroll the Administrator account for the Key Recovery Agent 2 certificate. To do this, open up certmgr.msc and click on Personal

Click on Action > All Tasks > Request New Certificate

clip_image006[6]

Click next

clip_image007[6]

Click to select the Key Recovery Agent 2 certificate and then click Enroll to finish the wizard:

clip_image008[6]

clip_image009[6]

Note that it didn't issue the certificate - the status is Enrollment pending. Now, go back to your CA snap-in and click on Pending Requests. You should see a pending request for the certificate you just enrolled.

clip_image010[6]

Right click the certificate, click on All Tasks and then Issue. The certificate is now issued.
Now, right click the CA and go to Properties and select the Recovery Agents tab. Select Archive the key, select the Number of recovery agents to use (one in our case):

clip_image011[6]

Click Add and select the certificate which was issued to your chosen user:

clip_image012[6]

Click OK twice and you're then prompted to restart the AD CS services so go ahead and click Yes

clip_image013[6]

So, we've now created our Key Recovery Agent certificate template, issued it to our Key Recovery Agent and configured the CA to use a Key Recovery Agent. We're not protected against key loss just yet because the certificate templates that are issued out need to have key archival enabled.
Right click on a certificate template which you need to enable key archival for, duplicate it, give it a name, go to Properties and then to the Request Handling tab. Tick Archive subject's encryption private key:

clip_image014[6]

On the Superseded Templates tab, add all the certificate templates that you want to be replaced by your new one then click OK:

clip_image015[6]

This doesn't protect against loss of private keys for certificates which have already been issued so in this case, you need to get the clients to reenroll these. Right click on your original certificate and select Reenroll All Certificate Holders:

clip_image016[6]

Go for an 8hr coffee break or just sit and stare at the screen…….

Go to Issued Certificates in the CA snap-in and add the Archived Key column. Eventually, you should start to see new certificates issued and you can see that the key is archived:

clip_image017[6]

So, there you have it. That’s how you enable key archival in AD CS!

If you need to recover a key then see here.
















Recover lost private key (Key Archival)

Overview

If you have Key Archival enabled then you can recover private keys. If you don’t have Key Archival enabled then click here for instructions.
In this post, I’ll demonstrate how to recover a lost private key

How to recover a lost private key

You need to be logged in with one of your Key Recovery Agents that you specified when you configured Key Archival.
Firstly, locate your certificate in the Issued Certificates section using the CA snap-in:
clip_image001
You then need to get the serial number so you can just double click it, go to details and select Serial Number:
clip_image002
Remove the spaces from the Serial Number:
1a00000042af62922b38431f48000100000042
Use certutil to get the key:
certutil -getkey 1a00000042af62922b38431f48000100000042 C:\Temp\key.key
clip_image003
You then use certutil again to recover the private key:
certutil -recoverkey C:\Temp\key.key c:\temp\cert.pfx
clip_image004
You now have a .pfx file and you can import this back onto your client using certmgr.msc














How to enable certificate autoenrollment

Introduction

Welcome back! In this post, we’ll do a quick demo of how you can enable certificate autoenrollment for a computer certificate. This means that the computer (or server) will get its own certificate……eventually……and you don’t (really) need to do anything.

How to enable certificate autoenrollment

Okay, so you have to do something! The first step is to open the Certification Authority snap-in on your CA or management computer, right click on Certificate Templates and click Manage.
clip_image001
You should now see a list of certificate templates you can configure:
image
Right click the Computer certificate template and duplicate it. Call your new certificate Computer 2 and change any settings you need to change (e.g. validity period)
clip_image002
Click on the Security tab and grant Enroll and Autoenroll permissions for Domain Computers (or whatever group of computers you need to configure autoenrollment for)
clip_image003
Create a Group Policy Object which is linked to the domain and go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client - Auto-Enrollment. Select Enable and tick Renew expired certificates and tick Update certificates that use templates. Although we link the GPO to the domain, we are in fact only allowing the group with permissions on the computer certificate to actually autoenroll and get the certificate
clip_image004
Now, to get your clients to actually autoenroll for a certificate, you can either wait a while or restart or run force the clients to autoenroll immediately with certutil /pulse.
This creates a certificate in the Local Machine personal store:
image
………and it has a common name which matches the FQDN of the client (litcli01.litware.com in our case):
image