Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Secret key archival is only configurable for CA unit not template unit ?

Answered Secret key archival is only configurable for CA unit not template unit ?

  • Thursday, January 31, 2013 11:08 AM
     
     
    Sign In to Vote
    0

    we use windows 2003 Enterprise CA.

    It looks CA do not archive secret key.

    we use EFS for end user.

    If we use EFS recovery certificate and resister it to GroupPolicy, group policy publiced EFS encryped file is recoverable by EFS recovery certificate ?

     

All Replies

  • Friday, February 01, 2013 5:55 AM
     
     
    Sign In to Vote
    1

    Hi,

    you must configure a key recovery agent certificate on the CA and then you can set the option to archive a certificate on the certificate template.

    Overview key archival - http://technet.microsoft.com/en-us/library/cc755395(v=ws.10).aspx

    Implementing key archival - http://technet.microsoft.com/en-us/library/ee449464(v=WS.10).aspx

    Best practices EFS - http://support.microsoft.com/kb/223316

    Hope that helps,

    Lutz


     
  • Friday, February 01, 2013 6:13 AM
     
     
    Sign In to Vote
    0

    Thank you.

    I can see template named Basic EFS template in CA , but I could not find that template in certificate template mmc.

    I could not see the detail infomation of Basic EFS template in CA if that secret key is archived or not.

    How could I know that ?
     
  • Friday, February 01, 2013 8:00 AM
     
     
    Sign In to Vote
    1

    Look at the links of Lutz and follow the following steps:

    * request a key recovery agent certificate

    * configure your CA with the certificate of the key recovery agent

    * configure your certificate template for key archival

    * autoenroll certificate for a user account

    http://technet.microsoft.com/en-us/library/cc787039(v=ws.10).aspx

    If you cannot change any settings on your basic efs certificate template, duplicate the certificate first and edit all the required settings.

    * if for some reasong the private key of the user needs to be recovered, use the key recovery tool.

    http://technet.microsoft.com/en-us/library/cc776056(v=ws.10).aspx

    hope it helps

    Johan Loos CISSP,MCT,ISO 27001 and others

     
  • Friday, February 01, 2013 8:17 AM
     
     
    Sign In to Vote
    0

    Thank you.

    I will check later.

    Why the template displayed are different in template in CA mmc and certificate template mmc ?

     
  • Friday, February 01, 2013 4:14 PM
     
     Answered
    Sign In to Vote
    0

    On Fri, 1 Feb 2013 08:17:53 +0000, miyagiken wrote:

    Why the template displayed are different in template in CA mmc and certificate template mmc ?

    The former are those that are available to enroll against at the CA, the
    latter shows all templates available in the forest. To get one from the
    latter to show up in the former you need to use the CA mmc to make it
    available.

    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Vacuum type: A derogatory term.  See "bubble memory."

     
  • Friday, February 01, 2013 5:45 PM
     
     Answered
    Sign In to Vote
    0

    Because there are different actions being taken.

    Certtmpl.msc - Modification, deletion, and duplication of certificate templates.

    Certification Authority - Publication and issuance of certificates based on the definitions in the certificate templates

    Brian