Can anyone please tell me how I can issue a BitLocker DRA certificate in Windows Server 2012 CA?
There's no such a template in CA 2012, and I can't create it by dublicating the Key Recovery Agent template and adding BitLocker application policies to the Key Recovery Agent template as in CA 2008R2:
Thank you in advance,
- Edited by MF47 Thursday, April 11, 2013 10:08 AM Typo
Thanks for posting in Microsoft TechNet forums.
Please check the Data Recovery Agent parts in the article below to see if they can be helpful during the troubleshooting:
BitLocker Group Policy settings
Install the BitLocker Feature to Windows (in Server Manager). That will add support for the BitLocker certificate OIDs.
You may need to do this both on the system where you make the request, and on the system that is issuing the certificates.
I personally disagree with this requirement (it is inconsistent with the fact that other OIDs are handled without adding features, and with the fact that the CA system may not need the BitLocker feature), but that's how it is...
No probs Ben,
Doing this all from memory as we no longer need to use a DRA - so some info might be a bit sketchy....
Add the BitLocker component to your CA via Server Management
Create a duplicate of the Recovery Agent certificate
Edit the certificate and chose the Extensions tab.
On this tab you will be able to add the two BitLocker extensions mentioned in the OP's question
Then you just need to deploy the new certificate.
....if you need this for FIPS then post back as I have some other info for you...
Carl Barrett | Twitter: @Mosquat
- Proposed as answer by Ben. K Monday, June 08, 2015 7:38 AM
thank you very much!
so the key is adding the bitlocker component to the 2012 CA, not the 2008 Domain Controller...
I did that on DC since I read some blogs saying so, and I still can't the those CA extensions.
I will certainly give it a try and let you know the result.
thanks again for your reply.
the instructions you are looking for are at the following URL as part of a blog post and they appear fairly straight forward given the design flaw that made them necessary in the first place. Likewise, the individual who wrote the blog post appears to have been a native English speaker so the instructions are cogent. Good luck.