You need a Key Recovery agent to perform a key recovery operation.
Note: Changes to the Microsoft CA CRL information (for example, enabling/disabling HTTP or LDAP Certificate Revocation List (CRL) distribution points) can result in the Key Recovery Agent becoming invalid. When this happens encoding will fail. When you make Microsoft CA CRL configuration changes you need to ensure that you publish the new CRL to your LDAP or HTTP distribution points.
Create a key recovery agent PKCS12 store
1. On the Microsoft CA machine, go to Start > Windows Administrative Tools > Certification Authority.
2. Click your certification authority to expand the root folder.
3. Right-click Certificate Templates and select Manage.
4. Right-click Certificate Templates, and then select Manage. The Certificate Templates Console appears.
5. Right-click the Key Recovery Agent and select Duplicate Template. The Properties of New Template dialog box appears.
6. In the Compatibility Settings, select the following:
a. From the Certificate Authority drop-down list, select
– Windows Server 2012R2 if you are running on a 2012R2 server
-or-
– Windows Server 2016 if you are running on Windows Server 2016 or later
b. From the Certificate Recipient drop-down list, select
– Windows 8.1/Windows Server 2012R2 if you are running on a 2012R2 server
-or-
– Windows 10/Windows Server 2016 if you are running on Windows Server 2016 or later
c. (Optional) If the Show resulting changes check box is selected, a message lists options added with your choice. Click OK to dismiss the message.
7. Click the General tab and enter a name in the Template display name field.
8. Click the Request Handling tab and select Allow private key to be exported.
9. Click the Issuance Requirements tab and do the following:
a. Do not select CA certificate manager approval.
b. Select The number of authorized signatures and enter 1 in the text box.
c. From the Policy type required in signature drop-down list, select Application policy.
d. From the Application policy drop-down list, select Certificate Request Agent.
10. Click the Security tab and under Permissions for Authenticated Users select to allow Read, Write, and Enroll.
11. Click OK.
12. Go to Certification Authority, right-click Certificate Templates and select New > Certificate Template to Issue.
13. Select the Key Recovery template you just created and click OK.
14. Create a new user in Active Directory, as follows:
a. Go to Start > Windows Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers page appears.
b. Right-click Users and select New > User. The New Object > User dialog box appears.
c. Enter a First name, Last name, and User logon name and then click Next.
d. Deselect User must change password at next logon.
e. Enter and confirm a password.
f. Click Next and then click Finish.
15. Open the Microsoft Management Console to add certificates snap-in, as follows:
a. To open the Microsoft Management Console, right-click the Start menu, click Run, enter mmc in the Open field, and click OK.
b. Go to File > Add/Remove Snap In.
c. Click Certificates and select Add. The Certificate snap-in dialog box appears.
d. Select My user account.
e. Click Finish and click OK.
16. Click Certificates > Current User.
17. Right-click Personal and select All Tasks > Advanced Operations > Enroll on Behalf Of. The Certificate Enrollment Wizard opens.
18. Click Next. The Select Certificate Enrollment Policy page appears.
19. Click Browse to select the certificate you created in Create a Microsoft CA Enrollment Agent. The Select a Certificate dialog box appears.
20. Click OK to select the certificate and close the dialog box. A certificate name appears in the Signing Certificate field.
21. Click Next. The Request Certificates page appears.
22. Select your Key Recovery certificate template and click Next. The Select a user page appears.
23. Enter the User name or alias that you created in step 14.
Alternately, you can click Browse to display the Select User dialog box and search for the user.
24. Click Enroll and the click Close.
25. Select Certificates > Current User.
26. Double-click Personal and then double-click Certificates.
27. Right-click your user Recovery Key certificate and select All Tasks > Export. The Certificate Export Wizard opens.
Note: You may need to refresh your display to see the certificate. You can identify the certificate by locating the certificate in the Issued to column that matches the user created in step 14.
28. Click Next. The Export Private Key page appears.
29. Select Yes, export the private key and click Next.
30. In the Export File Format page, do the following:
a. Select Personal Information Exchange - PKCS #12 (PFX).
b. Select Include all certificates in the certificate path if possible.
c. Click Next. The Security page appears.
31. In the Security page, do the following:
a. Select Password.
b. Enter and confirm a certificate password.
c. Click Next. The File to Export page appears.
32. In the File to Export page, enter a name for your certificate, for example, recover.
Tip: Click Browse to browse to the location where you want to save your certificate, enter a File name and click Save.
33. Click Next and then click Finish.
34. Click OK on the Export successful confirmation prompt.
35. Copy and save this file. You need this file to Configure a Microsoft CA in Identity as a Service.
Complete the following procedure to allow Identity as a Service to perform a key recovery.
1. On the Microsoft CA machine, go to Tools and select Certification Authority.
2. Right-click your certification authority and select Properties. The CA Properties dialog box appears.
3. Click the Recovery Agents tab and do the following:
a. Select Archive the key.
b. Enter the number of recovery agent you are using (typically 1) in the Number of recovery agents to use text box.
c. Click Add. The Recovery Key Agent Selection dialog box appears.
d. Select the Key Recovery Agent Certificate that you created in the previous steps, then select OK. You are prompted to restart your CA.
4. Click Apply. The Recovery Agent certificate is added.
5. Click OK to close the CA Properties dialog box.