Implementing Key Archival Walkthrough

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The first step in enabling key archival on a CA is enrolling for one or more KRA certificates.

Enrolling a Key Recovery Agent

The first step is to enroll KRAs for KRA Certificates. The following section explains the steps for enrolling a KRA.

Configuring the Certificate Templates

A certificate template suitable for creating KRA certificates is installed in Active Directory. By default, only an Enterprise Administrator or a Domain Administrator may request a KRA certificate as defined by the default ACLs on the KRA certificate template. The certificate template ACLs can be viewed in the Certificate Templates MMC snap-in; in addition, using the Certificate Templates MMC snap-In, certificate templates can be cloned or edited.


Only a domain with the Windows Server 2003 schema will support version 2 templates and only a Windows Server 2003, Enterprise Edition may issue a version 2 template certificate.

To configure a certificate template

  1. Log on as an Enterprise or Domain Administrator to the CA machine.

  2. Click the Start button, click Run, and then type certtmpl.msc.

  3. Click OK.

    Art ImageFigure 15:  Certificate Templates MMC Snap-In

  4. In the details pane, double-click Key Recovery Agent.

  5. In the Key Recovery Agent Properties dialog box, click the Security tab.

    Art ImageFigure 16:  Key Recovery Agent Template Properties

  6. Add the appropriate user(s) or group(s) with both Read and Enroll permission.

  7. Click OK to close the dialog box.

Next, the Certification Authority must be configured to issue this type of certificate.

Certificate Template Permissions

For a user or a computer to enroll for a certificate template, it must have appropriate permissions [access control entries (ACEs)] set on the template in Active Directory. A user or computer must have both Enroll and Read permissions to enroll for a selected certificate template. The Read permission allows the template to be discovered by the user and the Enroll permission is enforced by the enterprise CA when a user requests a certificate for a selected template. The enterprise CA must also have Read permissions on a template to enumerate the template in the directory and issue certificates based on that template. Normally, the enterprise CA is included in the Authenticated Users group, which has Read permissions by default on a template.

The Full Control permission is given to Enterprise Administrators by default on installation of a fresh Windows Server 2003 domain. If a domain has been upgraded from Windows 2000, Enterprise Administrators will not have this permission by default and the Full Control permission allows a user to set or modify the permissions on a selected template.

The Autoenroll permission is set on a template when a user or computer wants to automatically enroll for a selected certificate template. The Autoenroll permission is needed in addition to the Enroll permission for a user to enroll for a given certificate template.

The Write permission allows a user to modify the contents of a certificate template. Note that only a version 2 certificate with a Windows Server 2003 schema may be modified and version 1 certificate templates may only have the ACLs modified.

Smart Card Support

Smart cards are supported for use in conjunction with KRA certificates. It may be necessary to use a smart card and CSP that supports at least an 8-KB smart card to enroll for a KRA certificate on a smart card. If a smart card does not have adequate memory to support a KRA certificate, the following error will be generated on enrollment.

Error: 0x80100028

An attempt was made to write more data than would fit in the target object

All recovery operations are supported using a Smartcard. The system will prompt the recovery agent to insert an appropriate Smartcard when the key is needed to decrypt the recovery BLOB.

Configuring an Enterprise CA to Issue KRA Certificates

An Enterprise CA must be configured to issue a KRA certificate.

To configure an EnterpriseCA to issue a KRA certificate

  1. On the Administrative Tools menu, open the Certification Authority snap-in.

  2. In the console tree, expand Certification Authority, and then click Certificate Templates.

  3. Right-click the Certificate Templates node, click New, and then click Certificate Template to Issue.

  4. In the Select Certificate Template dialog box, click Key Recovery Agent, and then click OK.

  5. Close the Certification Authority MMC snap-in.

  6. The last manual step is to add the Certification Authority machine account to the Pre-Win2K Compatible Access group in every domain in which users will be using key archival. If this mandatory step is not performed, a CA Officer may not be able to manage groups of users. The Pre-Win2K Compatible Access group allows the CA to enumerate a user account and determine the group membership for CA Manager’s capability.

Enrolling a User with a KRA Certificate

A user may enroll for a certificate with a CA by using the Certificates MMC snap-in or through the CA Web pages. In the case of the KRA template, the template is marked to be “pended” by the CA, which requires that the certificate request be approved first by a CA Administrator or a Certificate Manager before it is issued. Pended certificate requests may only be retrieved through the Web enrollment interface or through the auto-enrollment process. For more information, see Appendix B: Additional Information.


It is strongly recommended not to automatically enroll KRA certificates as this may cause confusion for CA Administrators when automatic enrollment is unintentionally initiated resulting in additional KRA certificates in Active Directory.

KRA Web Enrollment

To enroll through a Web page

  1. Connect to the CA using a Web URL, for example:

    https://<CA Machine Name>/Certsrv


The Microsoft Certification Authority uses an ActiveX control known as xenroll.dll, which can be downloaded to client browsers that support ActiveX controls. Windows XP and Windows Server 2003 clients both ship with the ActiveX control pre-installed.

A Web site will open allowing you to request a certificate.  
  1. Select Request a Certificate.

  2. On the next Web page, select Advanced Certificate Request.

  3. Select Create and submit a request to this CA.

  4. The next page will allow the user to select various configuration options, including the type of certificate to request. Choose Key Recovery Agent as the Certificate Template.


A key size of 8192 or larger may take several hours to generate on the client. (Key pairs are always generated by the client CSP, not the CA.) This may slow public key operations on the CA when keys are archived. Key sizes of 2048 are much more reasonable for standard security needs; a key size of 8192 is used only as an example.