Archiving and recovering (export) private key in Active Directory Certification Services (ADCS)

When you have your Active Directory Certification Services (ADCS), your domain users can have certificates used to encrypt\decrypt emails. Your security department may want to get access to those encrypted emails, so you must provide private key of this user, so security-people can decrypt messages.

How can you do that?

There is a following way in MS CA realization:

1. You set up private key archival on CA server.
2. After you perform settings, private key getting copied to CA database at the moment of enrollment.
3. When you need private key of some users, you recover the key to *.pfx file.

Lets take a look how to perform these three points.

Set up private key archival on CA server.

You will need Key Recovery Agent issued for you.

• Open the Certificate Authority snap-in, right-click Certificate Templates, and select Manage. Open the properties of the Key Recovery Agent template. Under the Security tab you'll see that by default only Domain Admins and Enterprise Admins have the permissions to enroll for the certificate. Mention that maybe you will need to restrict Domain Admins. That is because if any domain admin get Key Recovery Agent certificate, he will be able to restore private key of any user and thus read encrypted email messages, for example. 

• In Certificate Authority, select Certificate Templates, and make Key Recovery Agent template available to issue (right-click Certificate Templates, click New and then select Certificate Template to Issue).

• As an administrator on Certificate Authority server, you should now request a Key Recovery Certificate via the MMC Certificates snap-in, which will show in your Personal Certificates store.

• In the Certificate Authority snap-in, right-click the CA and select Properties. In the Recovery Agents tab, change the option to Archive the key and select Add for recovery agents. Select the certificate for the administrator, then click Apply for the change to take effect. Click OK.

• Certificate templates need to be enabled to archive the private key. Select Certificate Templates and click Manage. Select the certificate template to enable archival for and select Properties. Select the Request Handling tab and select Archive subject's encryption private key. Click OK.

• New certificates generated from the template will now have the key archived, which will show under Issued Certificates when you add the Archived Key column (View, Add/Remove Columns).

Restore Private Key Archived

When a private key for certificate has been archived, the key can be recovered by the user who has the Key Recovery Agent certificate. In our case that you. To run recovery command, you must know Serial number of the certificate. You can get it from public key properties on Details tab.

The serial number is used for the actual private key recovery, as you can see in the following code, which first creates a BLOB of the certificate and then extracts the private key from it to a pfx file. This file will prompt you for a password to protect the pfx.

C:\Users\administrator.PKI>certutil -getkey "24 00 00 00 2d db 66 0f 25 22 6f b9 cf 00 00 00 00 00 2d" user-private-key.key
Recovery blobs retrieved: 1
Recovery Candidates: 1

Retrieved key files:
  user-private-key.key

CertUtil: -GetKey command completed successfully.

C:\Users\administrator.PKI>certutil -recoverkey user-private-key.key user-private-key.pfx
Enter new password:
Confirm new password:

Recovered key files:
  user-private-key.pfx
CertUtil: -RecoverKey command completed successfully.

C:\Users\administrator.PKI>

Now you have *.pfx file which you can import under any user's profile.

Understanding Key Recovery Agent (KRA) certificates safety and lifecycles

Ok, we've done with basic knowledges. Now, we must think about one very important thing!

When we add KRA certificate to the CA server, you must understand that private keys that CA server will archive are actually encrypted with this KRA certificate. So you must understand that you must watch carefully about KRA key\certificate in your users profile. Think about exporting your KRA certificate with private key to some protected storage.

Now, as you already know, user's private keys is encrypted during archiving with privake key of KRA certificate. Please look at the following picture:

How do you think can you recover archived keys with KRA(b)? The answer is: No, you cant. Thats why you must watch careful for the KRA certificate expiration period to renew it. And very imprtant that you must renew it with the existing private key of KRA certificate.

One more thing you can do to secure your archived keys - to have two KRA certificates, just like on the image above.

And I think the last thing, you can prepare some Powershell or Bash script to recover archived keys in batch at some period (per day, for example) and store them in some protected storage.