none
KRA - Key Recovery Failure

    Question

  • Hi All,

    I am attempting to recover a private key for one of our users. We have 1 KRA specified in our infrastructure. I have verified that the KRA is listed in the KRA Container in AD as well as in the local computer store (KRA) on the CA.

    When i issue the following command

    "certutil -config CANAME\Issuing-CA-01 -v -getkey 12345678901234567890"

    i get the error

    "CertUtil: -GetKey command FAILED: 0x80092004 (-2146885628)
    CertUtil: Cannot find object or property."

    Research of this error points to the lack of the KRA certificate existing in the HKLM\KRA Store on the CA. I have verified that the cert does in fact exist in the KRA Store on the CA and that the serial number and hash matches the certificate as well as the certificate that is published in the KRA Container in AD.

    When i run the following command to list the certs in the KRA store on the CA, 1 cert is found (as expected)

    "C:\Users\User>certutil -store KRA
    KRA
    ================ Certificate 0 ================
    Serial Number: abcdef1234567890abcd
    Issuer: CN=CANAME, DC=contoso, DC=com
    NotBefore: 1/20/2011 10:24 AM
    NotAfter: 1/21/2013 9:37 AM
    Subject: CN=krauser, CN=Users, DC=contoso, DC=com
    Non-root Certificate
    Template: KeyRecoveryAgent, Key Recovery Agent
    Cert Hash(sha1): aa bb cc dd ee ff 11 22 33 44 55 66 77 88 99 aa bb cc dd ee
    No key provider information
    Encryption test passed
    CertUtil: -store command completed successfully."

    However, i am unable to create the encrypted blob to be used with "RecoverKey" parameter as the "GetKey" command fails with the above error...Furthermore, in the GUI for Certificate Services, under Proerties of the CA, under the TAB "Recovery Agents", i can see the KRA certificate and the status is "Valid"....Nothing on the web btw sheds any light except for the technet article which points to the KRA cert not being available in the KRA Store on the CA...(which it is.)

    Any ideas?

    TIA!!






    Wednesday, May 04, 2011 10:00 PM

Answers

  • The getkey operations requires that the user have Issue and Manage Certificates permissions at the CA. This is the first thing that I would check. This step is prior to the recoverkey operation, so it is not tied in any way to whether you have the KRA certificate properly loaded in your profile (it does appear to be OK)

    I would manually check from the GUI that the certificate is in the CA database that you are connecting to and that the key is archived (turn on the Archived Key column in the view options)

    Brian

    • Marked as answer by MikeFi Wednesday, May 04, 2011 11:45 PM
    Wednesday, May 04, 2011 11:37 PM

All replies

  • The getkey operations requires that the user have Issue and Manage Certificates permissions at the CA. This is the first thing that I would check. This step is prior to the recoverkey operation, so it is not tied in any way to whether you have the KRA certificate properly loaded in your profile (it does appear to be OK)

    I would manually check from the GUI that the certificate is in the CA database that you are connecting to and that the key is archived (turn on the Archived Key column in the view options)

    Brian

    • Marked as answer by MikeFi Wednesday, May 04, 2011 11:45 PM
    Wednesday, May 04, 2011 11:37 PM
  • Interesting....I have issue and mange cert rights...not a problem

    Wheni  added the "Archived Key" column, not a single one of my certs is archived or at least nothing shows up in this column...

    Kind of makes sense why "Cannot find object" if it doesnt exist...

    Let me find a cert (EFS most likely) that is archived and i will test recovery on that..

    Posting results shortly

    Good help so far!


    Wednesday, May 04, 2011 11:40 PM
  • Issue was not really an issue at all..Turned out the cert i was trying to get the key for DID NOT have the key archived...Was a digital signature template which specified NOT to archive the key...when i tried the above process on an EFS cert (Encryption) all is well...

    Doh!

    ;)

     

    Thanks!

    Wednesday, May 04, 2011 11:46 PM