This lesson introduces students to data and key recovery, the file formats that a PKI uses to export and import certificates, and the key archival and recovery process. Students will also learn about the guidelines for securing the key archival and recovery process.
Key Recovery Overview The Windows XP and Windows Server 2003 operating systems support key recovery and data recovery. Tell students to use data recovery when they want to recover data, but not when they want to access the individual private keys of a user. Explain that they should use key recovery when they want to recover data without issuing new certificates. Focus on how private keys are lost. Many students will be unaware that actions, such as deleting a user profile or reinstalling the operating system, will result in the loss of private key material.
Do not spend a lot of time describing each export format. Consider running the Certificates MMC console (certmgr.msc) and showing where the export format selection occurs.
Ensure that students know that there is more than one way to export a certificate's private key. The application that you choose directly affects the export format of the private key.
Demonstrate the procedure for exporting private keys.
File Formats Used for Exporting Keys and Certificates
Tools for Exporting Keys
How to Export Keys
Practice: Exporting Private Keys
Ask students to complete the practice on exporting keys.
Requirements for Key Archival and Recovery
How to Configure a CA for Key Archival
Guidelines for Mitigating Security Risks Associated with Key Recovery
Explain to students that before a CA can perform key archival and recovery, it should meet some requirements of an established key archival policy. If the class is running behind, perform this practice as a classroom discussion.
Demonstrate the steps for configuring a CA for key archival.
Focus on which role performs each task and the formats that are used for each task. This information will help students understand when each format is used in the recovery process.
Consider asking the students whether their organization's security policy requires separation of the certificate manager and key recovery agent (KRA) roles. Remind the students that the KRA role is not a Common Criteria role, so they can perform this dual assignment.
Was this article helpful?