If you want to store and recover keys generated by the Microsoft CA, create one or more recovery agents as explained below.
To create a recovery agent
- In the Microsoft CA server machine, run MMC.
- Under the Certificate Authority node, right-click Certificate Template, and select Manage.
- Right-click Key Recovery Agent and select Duplicate Template.
- Configure the following settings in each tab of the Properties of the New Template dialog.
- Under the Certificate Authority node, right-click Certificate Template and select New > Certificate Template to issue.
- Select the newly created template.
- Create a user in Active Directory.
- Under the Personal node, right-click Certificates and select Tasks > Advanced Operations > Enroll On Behalf Of
- Follow the wizard instructions. When prompted, select the newly created user.
- Right-click the issued certificate and select Export.
- Follow the wizard instructions. In the Export Private Key dialog, select Yes, export the private key.
General
Click this tab and write a name for the new template in the Template display name field.
Request Handling
Click this tab and check the Allow private key to be exported box.
Issuance Requirements
Click this tab and set the following values.
Parameter | Value |
|---|---|
CA certificate manager approval | Disable this option |
This number of authorized signatures | 1 |
Policy type required in signature | Application policy |
Application Policy | Certificate Request Agent |
Security
Click this tab and assign the following permissions to the Domain Admins user group.
Permissions for Domain Admins | Allow | Deny |
|---|---|---|
Full Control |
| |
Read |
| |
Write |
| |
Enroll |
| |
Autoenroll |
|
For example:
