Configuring Active Directory Certificate Services Key Archival and Recovery in Server 2022

Posted on 18th June 2023

Introduction

Active Directory Certificate Services (AD CS) key archival and recovery is a process of backing up and storing cryptographic keys and digital certificates that are used in an enterprise. This process is important in maintaining the availability of these keys and certificates in the event of data loss or hardware failure. In this article, we will show you how to configure AD CS key archival and recovery in Server 2022.

Prerequisites

To follow this guide, you will need the following:

A server running Server 2022 with Active Directory Certificate Services installed.
A domain user account with administrative privileges.

Configuring AD CS Key Archival and Recovery

The first step in configuring AD CS key archival and recovery is to create a recovery agent. A recovery agent is a user or group that is given the permissions to back up and restore cryptographic keys and digital certificates. To create a recovery agent, open the AD CS console and click on Operations. In the Action pane, click on Create Key Recovery Agent.

In the Create Key Recovery Agent wizard, click Next. On the Select Certificate Enrollment Policy page, select the certificate enrollment policy that you want to use for the recovery agent and click Next.

On the Specify Certificate Subject Name page, enter the subject name for the recovery agent certificate. This can be a user or group name. Click Next.

On the Select Cryptographic Service Provider page, select the cryptographic service provider (CSP) that you want to use for the recovery agent certificate and click Next.

On the Select Hash Algorithm page, select the hash algorithm that you want to use for the recovery agent certificate and click Next.

On the Specify Key Container Name page, enter a name for the key container. This is the name that will be used to store the recovery agent’s private key. Click Next.

On the Confirm Selections page, review the settings that you have chosen and click Next. On the Complete the Certificate Request page, click Finish.

The next step is to export the recovery agent’s certificate. To do this, click on Certificates in the AD CS console. In the Action pane, click on Export Certificate.

In the Export Certificate wizard, click Next. On the Export Private Key page, select the Yes, export the private key option and click Next.

On the Export File Format page, select the Personal Information Exchange – PKCS #12 (.PFX) option and click Next.

On the Security page, enter a password for the PFX file and click Next. On the File to Export page, enter the path and filename for the PFX file and click Next.

On the Confirm Export page, review the settings that you have chosen and click Finish.

The next step is to import the PFX file into the Certificate Store on the server. To do this, open the MMC and add the Certificates snap-in. Select the Local Computer account and click Finish. Click OK.

In the Certificates console, expand the Personal node and click on Certificates. In the Action pane, click on All Tasks and then Import.

In the Import wizard, click Next. On the File to Import page, enter the path to the PFX file and click Next.

On the Password page, enter the password for the PFX file and click Next. On the Certificate Store page, click Next.

On the Completing the Certificate Import Wizard page, review the settings that you have chosen and click Finish.

The next step is to configure the certificate template for key archival and recovery. To do this, open the AD CS console and click on Certificate Templates. In the Action pane, click on New and then Certificate Template to Issue.

In the Enable Certificate Templates dialog box, select the Key Recovery Agent template and click OK.

In the Certificate Templates console, right-click on the Key Recovery Agent template and click on Properties.

In the Key Recovery Agent Properties dialog box, click on the Security tab. In the Security dialog box, click Add.

In the Select Users, Computers, or Groups dialog box, enter the name of the recovery agent and click Check Names. Click OK.

In the Permissions for Key Recovery Agent dialog box, select the Read and Enroll permissions and click OK. Click OK again.

The next step is to issue a certificate to the recovery agent. To do this, open the AD CS console and click on Certificates. In the Action pane, click on Request New Certificate.

In the Request New Certificate wizard, click Next. On the Active Directory Enrollment Policy page, select the Key Recovery Agent certificate template and click Next.

On the Name page, enter the name of the recovery agent and click Next. On the Certificate Storage page, click Next.

On the Confirmation page, review the settings that you have chosen and click Enroll. On the Complete page, click Finish.

The next step is to configure the certificate template for key archival. To do this, open the AD CS console and click on Certificate Templates. In the Action pane, click on New and then Certificate Template to Issue.

In the Enable Certificate Templates dialog box, select the Key Archival template and click OK.

Previous Post - How to Perform Database Backups with wpdb in WordPress Plugin

Next Post - How to Delete a Record with a Custom Plugin using wpdb