Private key archiving and recovery
When requesting a certificate using the Windows CA, users have the option to have their private key archived by the CA. In a catastrophic system failure that results in the user losing their entire system, this feature allows recovery of the user’s private key.
Support for this archival and recovery process is included in ProtectToolkit-M. The following examples demonstrate the use of this capability.
Private key archiving example
Here are the tasks required to archive a private key using a Microsoft certification authority (CA).
-
Create a key recovery agent (KRA) account
-
Acquire the KRA certificate
-
Configure the certification authority to allow key recovery
-
Create a new certificate template that allows key archiving
-
Acquire a user certificate that has an archived key
Prerequisites
Before doing these tasks:
-
You must have a Windows Server domain controller.
-
The Windows Server domain controller must also be configured as an enterprise root or subordinate CA.
-
A user keyset for the user must exist. Refer to Creating user keysets for further information.
-
The Allow Clear Export of Private Keys flag must be set. See the section Enabling private key clear export for the procedure.
1. Creating a key recovery agent account
Configure and add the KRA certificate template as a template that can be issued by the enterprise CA.
To verify who can enroll the key recovery agent template
-
Log on as administrator.
-
Select Start, Run, enter certtmpl.msc, and press Enter.
This opens the Certificate Templates snap-in in the Microsoft Management Console.
-
In the console tree, select “Certificate Templates”.
-
In the details pane, right-click Key Recovery Agent and select Properties. Select the Security tab.
By default, the security groups that can enroll the KRA certificate template are Domain Administrators and Enterprise Administrators.
-
To allow other users or groups to enroll the KRA certificate template, select Add to add the user or group and grant them Read and Enroll permissions.
To change the default issuance behavior of the key recovery agent template
-
In Key Recovery Agent Properties, select the Issuance Requirements tab.
-
Clear the CA certificate manager approval check box and select OK.
-
Close the Microsoft Management Console.
To change the request handling to allow the Safenet CSPs
-
In Key Recovery Agent Properties, select the Request Handling tab.
-
Check the Allow Private Key to be Exported check box.
-
Select the CSP button and select the radio button to allow requests to use any CSP available on the subject’s computer.
To configure the certification authority (CA) to issue key recovery agent certificates
-
On the Administrative Tools menu, select Certification Authority.
This opens the Certification Authority snap-in in the Microsoft Management Console.
-
In the console tree, double-click the CA, and then select Certificate Templates.
-
Right-click Certificate Templates, then select New CertificateTemplate to Issue.
-
In Enable Certificate Template, select Key Recovery Agent, and then select OK.
2. Acquiring the key recovery agent certificate
In this series of steps, you will acquire a KRA Certificate for the purpose of recovering private keys. Begin by creating an MMC console with the Certificates snap-in loaded.
To ensure that you are logged on as the administrator
-
On the taskbar, select the Start button, and then select Run.
-
In Run, enter mmc, and then select OK.
-
On the File menu, select Add/Remove Snap-in.
-
In Add/Remove Snap-in, select Add.
-
In Add Stand-alone Snap-in, select Certificates, and then select Add.
-
In Certificates, select My User account and then select Finish.
-
Select Close, and then select OK.
To acquire a key recovery agent certificate
-
In the console tree of the newly-created MMC console, double-click Certificates - Current User.
-
In the console tree, right-click Personal, select All Tasks, Request New Certificate.
-
In the Certificate Request Wizard, select Next.
-
In Certificate Types, select Key Recovery Agent and the Advanced checkbox, and then select Next.
-
On the CSP page that now displays, choose the SafeNet provider for HSM key storage and any other appropriate settings such as Key is Exportable, etc. Then select Next and Next again.
-
On the Certificate Friendly Name and Description page, in the Friendly Name field, enter Key Recovery, and then select Next.
-
In Completing the Certificate Request Wizard, select Finish.
-
In the console tree, double-click Personal and then select the Certificates folder.
-
Ensure that a certificate with the friendly name of Key Recovery exists.
-
Close the console without saving changes.
3. Configuring the CA to allow key recovery
In this series of steps, configure the enterprise CA to use the Recovery Agent certificate acquired in Task 2. The CA must load the public key for the KRA to be used for encrypting the recovery data.
To configure the recovery agent to be the administrator's key recovery agent certificate
-
Ensure that you are logged on as the administrator.
-
In Administrative Tools, open Certification Authority.
This opens the Certification Authority snap-in in the Microsoft Management Console (MMC).
-
In the console tree, select the CA.
-
Right-click the CA, and then select Properties.
-
In the CA Properties, on the Recovery Agents tab, select Archive the key and then select Add.
-
In Key Recovery Agent Selection, select the certificate that is displayed, and then select OK. The KRA certificate is shown with a status of Not loaded.
-
Select OK, and when prompted to restart the CA, select Yes.
To open the certificates console, focused on the local computer
-
On the taskbar, select the Start button, and then select Run.
-
In Run, enter mmc, and then select OK.
-
On the File menu, select Add/Remove Snap-in.
-
In Add/Remove Snap-in, select Add.
-
In Add Standalone Snap-in, select Certificates, and then select Add.
-
In Certificates Snap-in, select Computer account and then select Next.
-
In Select Computer, select Local Computer, and then select Finish.
-
Select Close, and then select OK.
To verify the installation of the key recovery agent certificate
-
In the console tree, double-click Certificates (Local Computer), double-click KRA, and then select Certificates.
-
In the details pane, double-click the certificate.
-
Verify that the intended use of the certificate is KRA and the certificate is issued to Administrator. This procedure ensures that the KRA has been successfully configured.
-
Select OK and then close the console without saving changes.
4. Creating a new certificate template that allows key archiving
In this series of steps, you define a new template that allows Key Archival and HSM key storage by using the Certificate Templates console. This will allow hardware key storage within a HSM at the client computer and key recovery in the domain in the event that the private key is lost or corrupted at the client computer.
To open the Certificate Templates console
-
Log on as the administrator.
-
On the taskbar, select the Start button, and then select Run.
-
In Run, enter mmc, and then select OK.
-
On the File menu, select Add/Remove Snap-in.
-
In Add/Remove Snap-in, select Add.
-
In Add Standalone Snap-in, select Certificate Templates, and then select Add.
-
Select Close, and then OK.
A duplicate of the Users certificate template is now created and named Archive User. This is a shortcut to creating a template with permissions that allows both Domain Administrator and Domain User certificate enrollments. The template is then modified so that certificate enrollments made using this template will enable both key archival and the ability to use Safenet as a CSP.
To create a modified Archive User certificate template
-
In the console tree, select Certificate Templates.
-
In the details pane, right-click the User template, and select Duplicate Template.
-
In the Properties of New Template dialog box, in the General tab, in the Template display name box, enter Archive User.
-
In the Request Handling tab, enable the Archive subject's encryption private key option (see the screen shot below). This option makes it possible for a KRA to recover the private key from the certificate store.
-
Select the CSPs button to enable HSM key storage using one or more SafeNet CSPs.
The dialog box allows selection of particular CSPs or all CSPs can be enabled by selecting the appropriate radio button.
Typically, only the Safenet RSA Full Cryptographic Provider is required. The SChannel Provider is only needed where SSL processing will be carried out.
-
After finalizing selections, select OK and OK again to apply changes and close the dialog boxes.
-
Close the console without saving changes.
5. Acquiring a user certificate that has an archived key
In this series of tasks, you will configure the certification authority (CA) to issue Archive User certificates. Using a newly created account, you will act as a user to acquire an Archive User certificate from the CA and record the certificate's serial number for later use.
To configure CA to issue the new Archive User certificate template
-
Ensure that you are logged on as the administrator.
-
From Administrative Tools, open Certification Authority.
-
In the console tree, double-click the CA name, and then select Certificates Templates.
-
Right-click Certificate Templates, select New, and then select Certificate Template to Issue.
-
In Enable Certificate Templates, select Archive User and then select OK.
-
The Archive User certificate template now appears in the details pane.
-
Close Certification Authority.
To create a new user account
-
In Administrative Tools, open Active Directory Users and Computers.
-
Double-click the domain.
-
Select Users then select the Create a new user in the current container button.
-
Complete the following fields to create a user account:
-
First name
-
Last name
-
User logon name (for example, JSmith@xxxx.com)
-
Password
-
-
Select Next, and then select Finish.
-
Double-click the new user account, select the General tab and enter the email address. For example, JSmith@xxxx.com. This is required if the option to include the email name is set in the template used to create the user (Subject Name tab).
-
For the purpose of demonstration here, add the user to the Server Operators group so they are able to log on locally to the domain controller. This would not normally be required.
-
Select the Member of tab.
-
Select Add, in Select Groups, enter Server Operators, select Check Names, and then select OK.
-
Select OK to close Properties.
-
-
Close Active Directory Users and Computers.
-
Close all open windows and log off the computer.
To open the Certificates console
-
Log on as the user.
-
On the taskbar, select the Start button, and then select Run.
-
In Run, enter mmc, and then select OK.
-
From the File menu, select Add/Remove Snap-in.
-
In Add/Remove Snap-in, select Add.
-
In Add Stand-alone Snap-in, select Certificates, select Add, and then select Close.
-
Select OK to close the Add/Remove Snap-in dialog box.
To use the certificates MMC to acquire an Archive User certificate
-
In the newly-created MMC console, in the console tree, double-click Certificates (Current User).
-
In the console tree, right-click Personal, select All Tasks, and then select Request New Certificate.
-
In the Certificate Request Wizard, select Next.
-
Under Certificate types, select Archive User and check the Advanced checkbox. Then select Next.
-
On the CSP page that is now visible, choose the SafeNet provider for HSM key storage and any other appropriate settings such as Key is Exportable, etc. Then select Next and Next again.
-
In Friendly name, enter Archive User, and then select Next.
-
On Completing the Certificate Request Wizard, select Finish.
If the dialog box shown below displays, the most likely cause of the problem is that the Allow Clear Export of Private Keys flag has not been set. See Enabling Private Key Clear Export for details.
-
Double-click Personal, and then select Certificates.
-
In the details pane, double-click the certificate with the friendly name of Archive User.
-
In Certificate, select the Details tab.
Note that the certificate template used to generate this certificate was Archive User, then select OK.
-
Close the new console without saving changes.
-
Close all windows and log off of the computer.
Private key recovery example
Here are the tasks required to recover a lost private key previously archived using a Microsoft certification authority (CA).
-
Perform key recovery
-
Import the recovered private key
1. Performing a Key Recovery
In this series of tasks, perform a key recovery by using Certutil.exe. For more information on Certutil, see your Microsoft documentation.
First, ensure that the private key is recoverable by viewing the Archived Key column in the Certification Authority console and obtain the certificate serial number required for recovery.
To obtain the certificate serial number of the confirmed recoverable private key
-
Log on as the administrator.
-
From Administrative Tools, open Certification Authority.
-
In the console tree, double-click the CA, and then select Issued Certificates.
-
From the View menu, select Add/Remove Columns.
-
In Add/Remove Columns, in Available Column, select Archived Key, and then select Add. Archived Key should now appear in Displayed Columns.
-
Select OK and then, in the details pane, scroll to the right and confirm that the last issued certificate to the user has a Yes value in the Archived Key column.
Note
A certificate template must have been modified so that the Archive bit and Mark Private Key as Exportable attributes were enabled. The private key is only recoverable if there is data in the Archived Key column.
-
Double-click the Archive User certificate.
-
Select the Details tab
-
Write down the serial number of the certificate. (Do not include spacing between digit pairs.) This is required for recovery.
The serial number is a 20 character, hexadecimal string. The serial number of the private key is the same as the serial number of the certificate.
For the purposes of this walkthrough, the serial number is referred to as serialnumber.
-
Select OK.
-
Close Certification Authority.
To recover the private key into a BLOB output file using certutil.exe
-
From a command prompt, enter cd \ and then press Enter.
-
Ensure that you are in the c:\ directory.
-
At the command prompt, type:
Certutil -getkey serialnumber outputblob
-
At the command prompt, enter
dir outputblob
Note
If the file outputblob does not exist, you probably typed the serial number incorrectly for the certificate. The outputblob file is a PKCS#7 file containing the KRA certificates and the user certificate and chain. The inner content is an encrypted PKCS#7 containing the private key (encrypted to the KRA certificates).
To recover the original private/public key pair using certutil.exe
-
From a command prompt, type:
Certutil -recoverkey outputblob <username>.pfx
-
When prompted, enter the following information:
-
Enter new password: password
-
Confirm new password: password
-
Enter exit, and then press Enter.
-
-
Close all windows and log off as the current user.
2. Importing the recovered private key
Restoration of the recovered private key to the users certificate store by importing the <username>.pfx file.
To log on as the user and start the Certificates MMC
-
Log on as the user.
-
On the taskbar, select the Start button, and then select Run.
-
In Run, enter mmc, and then select OK.
-
On the File menu, select Add/Remove Snap-in.
-
In Add/Remove Snap-in, select Add.
-
In Add Standalone Snap-in, select Certificates, select Add, and then select Close and OK.
To delete all certificates issued by the CA to simulate a re-installed computer
-
Right-click Certificates - Current User, and then select Find Certificates.
-
In Find Certificates, in Contains, enter the CA and then select Find Now.
-
On the Edit menu, select Select All.
-
On the File menu, select Delete.
-
In Certificates, select Yes.
-
In Root Certificate Store, select Yes.
-
Close Find Certificates.
To import the certificate at c:\ <username>.pfx and let the certificates be placed automatically
-
In the console tree, right-click Personal and then select All Tasks and then select Import.
-
In the Certificate Import Wizard, select Next.
-
On Files to Import, in the File name box, enter c:\ <username>.pfx, and then select Next.
-
In Password, enter password and then select Next.
-
On Certificate Store, select Automatically select the certificate store based on the type of certificate and then select Next.
-
On Completing the Certificate Import Wizard, select Finish.
-
If the Root Certificate Store dialog box appears, select Yes.
-
In Certificate Wizard Import, select OK.
Two certificates were imported. The Archive User certificate for the user is located in the Personal certificates store and the CA certificate is located in the Trusted Root Certification Authorities store.
To verify the serial number of the imported certificate
-
In the console tree, double-click Personal and then select Certificates.
-
Double-click the certificate.
-
In Certificate, select the Details tab. Verify that the serial number matches the original.
-
Close all open windows and log off.