Key Archival
Next, we’ll look at setting up Key Archival. There are two parts for setting up Key Archival. The first is designating a Key Recovery Agent for the CA. The second is configuring the Certificate Template for archival which we touched on in the previous part, Configuring Certificate Templates.
Key Archival is important for certificates that are used for encryption. If a user’s encryption private key is lost for some reason, any encrypted data can be recovered by extracting the archived private key from the CA database and returned to the user.
Designating a Key Recover Agent (KRA)
In the previous part, we configured the CA to issue KRA certificates. Specifically, we added the default KRA template to the list of certificate templates available on the CA, and set the permission on template to allow members of the Fabrikam KRA security group enroll. The next step is to have at least one member of that group request the KRA certificate.
The user, Magnus Hedlund, is a member of the Fabrikam KRA group. Here’s how he’d request a KRA certificate.
1. Connect to the Web Enrollment site and select Request a certificate from the Web Enrollment webpage.
2. Select Create and submit a request to this CA.
3. From the Certificate Template drop-down, select Key Recovery Agent. Magnus should also make sure the option Mark keys as exportable is selected, but the rest of the default settings can be accepted.
4. Set the friendly name to KRA Cert, and click Submit.
5. The default Key Recovery Agent template is configured to require Certificate Manager approval (on the Request Handling tab), meaning that a Certificate Manager (a local Administrator on the server, by default) must manually issue the certificate. As such, Magnus will see a message stating that his request is in a pending state. Magnus then emails the Certificate Manager to get the request approved.
6. The Certificate Manger launches the Certificate Services MMC, selects Pending Requests, and locates Magnus’ request. She then right-clicks on the request and selects All Tasks from the context menu and then selects Issue.
7. In order to retrieve his issued certificate, Magnus must returns to the Web Enrollment site. This time he must select View the status of a pending certificate request. REQUIRED: Magnus must reconnect to the site using the same client he used to submit the request. The Web Enrollment pages use a cookie to record pending requests.
8. Magnus then clicks on his request that is identified by the date and time that it was submitted.
9. Magnus then has a link to Install this certificate.
10. Magnus is then presented with a Potential Scripting Violation error asking if the certificate should be added to the certificate store He clicks Yes to acknowledge the warning.
The Certificate is then successfully installed.
User’s with Key Recovery Agent certificates should take care to protect their certificates and keys. One way of doing that is exporting the KRA certificate and private key to a PFX file – deleting the private key stored on the client – and keeping that password protected file in a safe location. The KRA certificate and private key can then be imported as needed.
To do this, Magnus follows these steps:
1. Open the Certificates MMC targeted to his user account (Certmgr.msc).
2. Expand Personal, then Certificates. Locate the KRA Cert, and right-click on it. Select Export from the context menu.
3. This launches the Certificate Export Wizard. Click Next to continue.
4. On the Export Private Key page of the wizard, select Yes, export the private key, and click Next.
5. On the Export File Format page, select Delete the private key if the export is successful and make sure all the other options are deselected. Click Next.
6. Enter a password to secure the Private Key, and click Next.
7. On the File to Export page, click Browse….
8. Browse to a secure location in the file system, give the PFX file a name, and click Save.
9. Click Next on the File to Export page.
10. Click Finish to complete the export.
11. He is then prompted that the export was successful, and clicks OK.
In a high security setting, one option may be to save the PFX file to removable media, and then secure that media in a locked safe until it is needed. Why are such measures necessary? Well, they may not be; it totally depends on your environment. What is important to realize is that Key Recover Agents can decrypt the encrypted key blob for any user with an archived key. The CA’s design tries to mitigate this risk somewhat by requiring a Certificate Manager to actually export the encrypted key blob from the CA database. A Key Recovery Agent can only decrypted the exported key blob, but he can’t actually export the key blob.
| 