In part five, we will cover Private Key Archive and Recovery. Backup is crucial, and we should implement it in this architecture. We will also explore Certificate Templates to enable Private Key Archival.
Let’s begin. If there’s anything unclear, please refer to the previous four parts of this guide, with links provided at the bottom.
On the CA server, open certsrv.msc, expand the server, right-click on Certificate Templates, and select Manage.
A new window with Certificate Templates will open. Select Key Recovery Agent, right-click on it, and choose Duplicate Template.
A new window will open. On the Compatibility tab, under Compatibility Settings, select Windows Server 2016 for Certification Authority and Windows 10/Windows Server 2016 for Certificate recipient.
On the General tab, enter the template name, set the Validity period to 1 year, and select Publish certificate in Active Directory.
In the Issuance Requirements tab, uncheck CA certificate manager approval.
On the Cryptography tab, ensure Key Storage Provider, RSA, 4096, and SHA 256 are set.
In the Security tab, Authenticated Users should have Read permission, Domain Admins should have Read, Write, and Enroll permissions, and Enterprise Admins should have Read, Write, and Enroll permissions. Click Apply and OK to close.
You can now close Certificate Templates.
In the Certificate Authority console, right-click on the Certificate Templates folder and select New – Certificate Template to Issue.
Select the template you just created and press OK.
The template will now appear in the Certificate Templates window. You can close the Certification Authority console.
Deploy the Key Recovery Agent Certificate
We will now request the Key Recovery Agent certificate. Go to certmgr.msc for the Current User Account on CA. Ensure you are logged in as Domain Administrator on CA before proceeding. This is not advisable in production environments; a dedicated account for Key Recovery should be used.
Right-click on Personal, go to All Tasks, and select Request New Certificate.
Active Directory Enrollment Policy should be selected. Click Next. Select Key Recovery Agent Pwoks.local (the template you created) and click Enroll.
Wait and then click Finish. You should now have the certificate.
Configure Certificate Authority for Key Recovery
Open Certification Authority (certsrv.msc) on the CA server. Right-click on the server, select Properties, go to the Recovery Agents tab, and select Archive the key, leaving the number as 1. Click Add.
And that concludes this part. We are done.
The key will appear but won’t be loaded yet. Click Apply, and you will be prompted to restart Active Directory Certificate Services. Click Yes. The status will change to loaded. Press OK.
After restarting AD CS, the key is now valid. Press OK.
And that concludes this part. We are done.