Identify a key recovery agent

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To identify a key recovery agent

  1. Log on to the system as a Certification Authority Administrator.

  2. Open Certification Authority.

  3. In the console tree, click the name of the certification authority (CA).

    Where?

    • Certification Authority (Computer)/CA name

  4. On the Action menu, click Properties.

  5. On the Recovery Agents tab, click Archive the key.

  6. In the Number of recovery agents to use box, type the number of key recovery agents that will be used to encrypt the archived key.

  7. Click Add to add key recovery agent certificates.

Notes

  • To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

  • To add key recovery agents, the Number of recovery agents to use must be 1 or more.

  • If the Number of recovery agents to use value exceeds the number of recovery agent certificates with the status of "Valid," enrollment requests that require key archival will fail.

  • This procedure configures a certification authority to archive private keys when issuing certificates based on templates that have key archival configured. For more information about configuring certificate templates for key archival, see Related Topics.

  • When the recovery agent certificates are added to the CA, a status is displayed for each certificate. Status can be one of the following values and causes:

    Status Cause

    Expired

    The certificate's expiration date has passed so the certificate cannot be used.

    Invalid

    The certificate may be malformed or causes and error when loading.

    Not found

    The certificate was configured but cannot be located by the CA.

    Not loaded

    The certificate was configured but has not yet been loaded by the CA.

    Revoked

    The certificate has been revoked and cannot be used.

    Untrusted

    The root CA for this certificate is not trusted by the CA.

    Valid

    The certificate has been loaded by the CA and is operating normally.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Certificate Services example implementation: Key archival and recovery
Key archival and recovery
Establishing key options and key archival

Other Resources

Active Directory Certificate Services PKI - Key Archival and Management