Saturday, 4 March 2017

Enable key archival in Server 2012 R2


So, you get an escalated call from the helpdesk saying someone’s lost their private key. So, we only had one copy of that. Now what?
Well, here’s where key archival comes into play. You configure your CA to enable key archival and then you specify that your certificate templates have key archival enabled and now your private keys are copied to your CA so you can recover them when needed!

How to enable key archival

Identify a user to serve as the key recovery agent. In this case, we'll use the account LITWARE\Administrator.

Open your Certification Authority snap-in, right click Certificate Templates and click Manage. You now see a list of certificate templates:


Duplicate the Key Recovery Agent certificate template and give it a name: Key Recovery Agent 2


Configure the key recovery agent certificate template with Read and Enroll permissions for the key recovery agent (LITWARE\Administrator). You do this on the Security tab:


Now we need to configure the CA to use issue the new certificate template. Right click Certificate Templates, click New then click Certificate Templates to Issue


Select your new Key Recovery Agent 2 certificate and click OK


Now we need to enroll the Administrator account for the Key Recovery Agent 2 certificate. To do this, open up certmgr.msc and click on Personal

Click on Action > All Tasks > Request New Certificate


Click next


Click to select the Key Recovery Agent 2 certificate and then click Enroll to finish the wizard:



Note that it didn't issue the certificate - the status is Enrollment pending. Now, go back to your CA snap-in and click on Pending Requests. You should see a pending request for the certificate you just enrolled.


Right click the certificate, click on All Tasks and then Issue. The certificate is now issued.
Now, right click the CA and go to Properties and select the Recovery Agents tab. Select Archive the key, select the Number of recovery agents to use (one in our case):


Click Add and select the certificate which was issued to your chosen user:


Click OK twice and you're then prompted to restart the AD CS services so go ahead and click Yes


So, we've now created our Key Recovery Agent certificate template, issued it to our Key Recovery Agent and configured the CA to use a Key Recovery Agent. We're not protected against key loss just yet because the certificate templates that are issued out need to have key archival enabled.
Right click on a certificate template which you need to enable key archival for, duplicate it, give it a name, go to Properties and then to the Request Handling tab. Tick Archive subject's encryption private key:


On the Superseded Templates tab, add all the certificate templates that you want to be replaced by your new one then click OK:


This doesn't protect against loss of private keys for certificates which have already been issued so in this case, you need to get the clients to reenroll these. Right click on your original certificate and select Reenroll All Certificate Holders:


Go for an 8hr coffee break or just sit and stare at the screen…….

Go to Issued Certificates in the CA snap-in and add the Archived Key column. Eventually, you should start to see new certificates issued and you can see that the key is archived:


So, there you have it. That’s how you enable key archival in AD CS!

If you need to recover a key then see here.


  1. Hi i follow all the steps. it was working previously but the kra dissapear. following the steps it still don't appear when i have to select the certificate. any idea?

  2. I was in need for a genuine key, and my money were spent very well with The key worked straight away with no hassle and my office is now genuine.