Configure a certificate template for key archival and recovery

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2


To configure a certificate template for key archival and recovery

  1. Open Certificate Templates.

  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

  3. On the Request Handling tab, select the Archive subject's encryption private key check box.


  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Certificate Templates, click Start, click Run, type certtmpl.msc, and then press Enter.

  • This procedure is applicable to version 2 templates. For more information about version 2 templates, see Related Topics.

  • In addition to this procedure, the certification authority must be configured to archive keys. For more information, see Related Topics.

  • Clients must be re-enrolled to receive a certificate that is based on the changed template if they already have a valid certificate that is based on the old template. For more information about re-enrolling clients, see Related Topics.

See Also


Establishing key options and key archival
Key archival
Re-enroll all certificate holders
Key archival and recovery
Manage Key Archival and Recovery

Other Resources

Active Directory Certificate Services PKI - Key Archival and Management