none
Problem with assigning a EFS recovery agent in CA

    Question


  • I'm trying to implement PKI as wide as possble including EFS, sure. I did the following:

    1. Created custom V2 template "Custom EFS" based on "Basic EFS", assigned read/enroll/autoenroll for Authenticated Users, tick archive private key, issued.

    2. Created user named "EFS Recovery Agent", assigned Domain Admins rights.

    3. Created custom V2 template "Custom EFS Recovery Agent", assigned read/enroll/autoenroll for "EFS Recovery Agent", issued.

    4. Logged on CA as "Custom EFS Recovery Agent", got the certificate.

    5. In Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ Encryption File System launched Add Recovery Agent Wizard and installed the certificate. 

    And the problem appeared when I decided to set up the recovery agent in CA. I launched certsrv, call "Properties", went to Recovery Agents tab, pressed Add and the following window appeared:

    No certificate available
    No certificates meet the application criteria

    CA doesn't see the certificate that I just installed on the same machine. I rebooted a lot and restarted the service — no effect.

    All actions was made on the Enterprise Subordinate CA, thus there were no issues with wrong PC with private keys. 

    EFS Recovery Agent is in the "Issued Certificated". In "Failed Requests" there are records:

    Cannot archive private key. The certification authority is not configured for key archival.

    What I missed or misunderstood? Thanks in advance.

    PS. Let me know if there is a more suitable forum here.


    • Edited by Grigory Kireev Monday, December 23, 2013 10:32 AM mystype
    • Moved by Amy Wang_Moderator Tuesday, December 24, 2013 6:40 AM Certificates related From Windows Server General Forum
    Monday, December 23, 2013 10:25 AM

Answers

  • The Recovery Agents tab in the properties of the CA has absolutely nothing to do with EFS, but has to do with key archival and recovery:

    1) When you created your custom EFS certificate, you must enable the "Archive the encryption certificate's private key option

    2) You must issue a Key Recovery Agent certificate to a specific user.

    3) You add the Key Recovery Agent certificate on the recovery agent's tab of the CA.

    Key recovery is a shared operation between the Certificate Manager role and the Key Recovery Agent (KRA) role.

    1) The certificate manager can extract an encrypted blob of the user' private key from the CA database by using the certutil -getkey command.

    2) The KRA can then extract the certificate and private key from the encrypted blob by using the
    certutil -recoverkey option

    HTH

    Brian

    • Marked as answer by Grigory Kireev Tuesday, December 24, 2013 10:34 AM
    Tuesday, December 24, 2013 9:23 AM

All replies

  • The Recovery Agents tab in the properties of the CA has absolutely nothing to do with EFS, but has to do with key archival and recovery:

    1) When you created your custom EFS certificate, you must enable the "Archive the encryption certificate's private key option

    2) You must issue a Key Recovery Agent certificate to a specific user.

    3) You add the Key Recovery Agent certificate on the recovery agent's tab of the CA.

    Key recovery is a shared operation between the Certificate Manager role and the Key Recovery Agent (KRA) role.

    1) The certificate manager can extract an encrypted blob of the user' private key from the CA database by using the certutil -getkey command.

    2) The KRA can then extract the certificate and private key from the encrypted blob by using the
    certutil -recoverkey option

    HTH

    Brian

    • Marked as answer by Grigory Kireev Tuesday, December 24, 2013 10:34 AM
    Tuesday, December 24, 2013 9:23 AM
  • Thanks! I mixed up DRA and KRA (it sounds similarly).

    I will make two different approaches with EFS recovery:

    1. Data Recovery Agent — to restore (decrypt) encrypted files. This scenario assumes lost of user's private key and creating a new one with re-encrypting files.

    2. Key Recovery Agent — to restore user's key pair. This scenario assumes that user will act as nothing happened after key install.

    Am I right?

    Tuesday, December 24, 2013 10:39 AM
  • Hi,

    In addition, here is a nice blog below which was wrote about differences between Key Recovery and Data Recovery:

    Key Recovery vs Data Recovery Differences

    http://blogs.technet.com/b/pki/archive/2011/10/28/key-recovery-vs-data-recvoery-differences.aspx

    According to this article, Data Recovery agent allows a designated EFS Recovery Agent to decrypt all EFS-encrypted files on a computer. In the meantime, Key Recovery agent allows the user to access the File Encryption Key (FEK) stored in the EFS-encrypted file, returning access to the file to the user.

    Happy holidays!

    Amy Wang

    Wednesday, December 25, 2013 3:37 AM