Requesting the Key Recovery Agent Certificate

The following process performs the initial certificate request for the Key Recovery Agent certificate. The process assumes that the certificate template has the default settings, though the permissions are defined to allow a custom global or universal group Read and Enroll permissions:

1. Log on to the domain from a Windows 2000 or Windows XP computer with an account assigned Read and Enroll permissions for the Key Recovery Agent certificate template.

2. Open Microsoft Internet Explorer.

Note You must use Internet Explorer for the certificate request because the Certificate Enrollment Wizard does support pended requests. The Certificate Services Web Enrollment pages provide content to allow you to check the status of a pending certificate request. The link is maintained through a cookie issued at the requesting computer.

3. In Internet Explorer, open the URL http://CertSrvDNS/certsrv (where CertSrvDNS is the Domain Name System name of the CA issuing the Key Recovery Agent certificates).

4. On the Welcome page, click the Request a Certificate link.

5. On the Advanced Certificate Request page, click the Create and Submit a Request to this CA link.

6. On the Advanced Certificate Request page, in the Certificate Template dropdown list, select Key Recovery Agent.

Note You can further increase the security of the Key Recovery Agent certificate template by creating a custom certificate template that implements a smart card CSP. With the default smart card CSPs, you must also reduce the key length to 1024 bits to allow storage on a smart card.

7. On the Advanced Certificate Request page, in the Friendly Name box, type Key Recovery Agent, and click Submit.

8. In the Potential Scripting Violation dialog box, allow the Web site to request a certificate on your behalf by clicking Yes.

9. On the Certificate Pending page, ensure that the Web page states that the request ID is in a pending state.

10. Close Internet Explorer.

This process must be repeated for each key recovery agent required in the forest. Issuing the Key Recovery Agent Certificate

Once the certificate request is pending, the key recovery agent must have his or her identity validated by a certificate manager. The method used to identify the key recovery agent depends on your organization's certificate policies. With the requestor's identity validated, a certificate manager can issue the Key Recovery Agent certificate using the following process:

1. Log on to the issuing CA as a user assigned the Issue and Manage Certificates permission.

2. Open the Certification Authority console.

3. Expand the certification authority name and click Pending Requests.

4. Ensure that the Key Recovery Agent certificate requestor has met the defined certificate policy, right-click the pending certificate request in the details pane, point to All Tasks, and click Issue.

5. Close the Certification Authority console.

This process must be repeated for all pending Key Recovery Agent certificates. When the certificate is issued, the CA publishes the certificate to the CN=KRA, CN=Public Key Services,CN=Services,CN=Configuration,DC=.ForasĀ£#ooi.Domam container. Publication in this container allows the Key Recovery Agent certificate to be added to the configuration of an enterprise CA in the forest, enabling key archival.

Was this article helpful?

+1 0


  • steffen pabst
    Who has permission to request a key recovery agent certificate?
    8 years ago
  • alex lacombe
    How to configure recovery agent certificate?
    1 year ago
  • ulrike
    How to generate pki key recovery agent certificate?
    2 months ago
  • manuela
    How to enroll issue certificate recovery agent?
    2 months ago
  • clorinda
    What function does a Key Recovery Agent perform?
    1 month ago

Post a comment