Information Technology Reference
In-Depth Information
After a KRA is assigned, the key for each certificate issued from a certificate template with
key export enabled is archived automatically. Multiple KRAs can be assigned to a certificate by
entering a value in the Number of recovery agents to use text box. This number should usually
be the same as the number of certificates you add to the Key recovery agent certificates list box
that allow all installed KRAs to recover keys. The number of recovery agents can't be more than
the number of certificates installed. If you specify a number lower than the number of certificates
installed, the certificates are selected round-robin for each key archival procedure. In this case,
you have to determine which recovery agents can recover an archived key. For example, if two
recovery agents are specified and four KRA certificates are installed, two certificates are chosen
for each key archival process. Either of the two KRAs can decrypt the key for recovery.
The recovery of a key that has been archived automatically typically follows these steps:
1. The user who has lost his or her private key contacts the Certificate Manager (role holder)
to request key recovery.
2. The Certificate Manager locates the key in the CA database.
3. The Certificate Manager inspects the encrypted key's properties to determine which KRAs
can recover the key. The Certificate Manager can copy the key from the CA database but
can't decrypt the key unless he or she is also a designated KRA.
4. The key is sent to a KRA for decryption.
5. The KRA decrypts the key and sends it to the user in a password-protected file.
6. The user imports the key, using the password supplied by the KRA.
Activity 11-11: Archiving a Key Manually
Time Required:
15 minutes
Objective:
Archive a private key.
Description:
You have just been issued an EFS certificate and realize you should archive your pri-
vate key in case it's lost or corrupted.
1. Log on to your Vista computer as
salesperson1
. (If you didn't use your Vista computer to
request the EFS certificate for salesperson1, you can log on to ServerXX.)
2. Add the Certificates snap-in to an MMC. (See Activity 11-5 for the steps.)
3. In the left pane, click to expand the
Certificates
node and the
Personal
folder, and then click
the
Certificates
folder.
4. Right-click the
EFS-2008
certificate, point to
All Tasks
, and click
Export
. In the Certificate
Export Wizard's welcome window, click
Next
.
5. Click the
Yes, export the private key
option button, and then click
Next
.
6. In the Export File Format window, leave the
Personal Information Exchange - PKCS #12
(.PFX)
option button selected, and then click
Next
.
7. In the Password window, type
Password01
in the Password text box and the Type and con-
firm password (mandatory) text box, and then click
Next
.
8. In the File to Export window, click
Browse
. By default, your Documents folder is selected as
the destination folder. Type
EFSCert
in the File name text box, and click
Save
. Click
Next
.
9. In the Completing the Certificate Export Wizard window, click
Finish
. Click
OK
in the suc-
cess message. Leave the Certificates snap-in open for the next activity.
11
Activity 11-12: Recovering a Lost Key
Time Required:
15 minutes
Objective:
Recover a lost key.
Description:
Your user profile, which contained your private key, was accidentally deleted. You
need to recover your key from an archived backup.
1. First, you delete your existing certificate and key. In the left pane of the Certificates snap-in,
click the
Certificates
folder, if necessary. Right-click the
EFS-2008
certificate and click
Delete
.
Search WWH ::
Custom Search