Subscribe to Windows IT Pro
January 20, 2004 12:00 AM

Windows Server 2003 PKI Key Archival and Recovery

Automatically archive private keys
Jan De Clercq
Windows IT Pro
InstantDoc ID #41281
Rating: (0)

Key Recovery
A PKI user or a PKI-enabled application's user typically initiates key recovery, which requires the intervention of at least one KRA (depending on the number of KRAs specified in the CA's properties). Windows 2003 PKI supports role separation—letting you separate the roles of CA administrator, certificate manager, and KRA—so key recovery might also require the intervention of a certificate manager to retrieve the recovery data from the CA database. The following examples assume no role separation and use only one KRA certificate. You can use the command line or a GUI to recover an archived private key.

A full Windows 2003 private key recovery sequence from the command line consists of the following steps:

  1. The KRA identifies the user requesting a private key recovery.
  2. The KRA records the user certificate's user principal name (UPN), common name (CN), account name (domain\username), Secure Hash Algorithm-1 (SHA-1) thumbprint, or serial number with the goal of finding a unique identifier by which to identify the key. If a particular user has more than one archived key, the safest method is first to retrieve a list of all archived keys. The KRA can use the following command:

    certutil -getkey <user CN, account name, or UPN>
    to retrieve a list of all archived keys for the user. This command returns the serial number of each archived key; the KRA can then identify the key to recover and use the corresponding serial number as a unique identifier.

  3. To export the recovery data from the CA database, the KRA opens a command prompt and types 
    certutil -getkey <unique identifier> <output file>
  4. Next, to transform the output file to a Public-Key Cryptography Standards (PKCS) #12 file that contains the recovered private key and is secured by using the password test, the KRA types

    certutil -p "test" -recoverkey <output file> <PKCS#12 file>
    If the KRA recovers multiple keys for the user, the KRA can then merge the multiple PKCS #12 files into one PKCS #12 file by typing

    certutil -p "test" -MergePFX -user "<PKCS#12_file1>,<PKCS#12_file2>" "<NameofCombined_PKCS#12>"
  5. The KRA provides the final PKCS #12 file to the user, who can import it to his or her certificate store.

To recover keys by using a GUI, the KRA must use the Microsoft Windows Server 2003 Resource Kit's Key Recovery tool (krt.exe—aka Certification Authority Key Recovery), which Figure 4 shows. To recover keys by using the Key Recovery tool, the KRA must perform the following steps:

  1. In the Certification authority (CA) drop-down box, the KRA selects the CA from which to recover keys.
  2. To search for the archived private keys and certificates for a particular user, the KRA selects a search criterion (i.e., Common Name, UPN, Serial Number, Hash, or Account Name) in the Search Criteria drop-down box, then enters the appropriate identifier (e.g., Administrator, to correspond with the Common Name criterion) and clicks Search.
  3. After the search returns its results, the KRA can either click Recover to recover all archived keys at once or use the Retrieve Blob and Decrypt Blob buttons to retrieve one key-certificate pair.

Data Recovery vs. Key Recovery
Data recovery is a PKI-related process that decrypts encrypted data following the loss of a private key. This service is necessary when dealing with persistent data that's secured by using encryption technology. The inability to decrypt such data when an encryption key is lost would result in data loss. Data recovery can follow key recovery: After a user and authorized administrator gain access to the user's private key, the user can use the key to decrypt the encrypted symmetric keys that were used to encrypt the data. However, data recovery can also occur independently of private key recovery. Windows 2003 or Windows 2000 Encrypting File System (EFS) is a good example of an application in which data recovery can occur independently of user private key recovery.

For cases in which data recovery must occur independently of private key recovery, a predefined set of administrators—referred to as Data Recovery Agents—are authorized to decrypt the data. The symmetric encryption key must be available to the Data Recovery Agents. Therefore, a PKI that uses this type of data recovery typically uses the Data Recovery Agents' public keys to encrypt a copy of the symmetric encryption key.

Do you need to support data recovery? Keep the following points in mind when making this decision:

  • Data recovery is required when your organization requires independent access to users' encrypted data or doesn't permit access to users' private keys.
  • Key recovery is sufficient when your organization permits access to private keys and doesn't require (or permit) independent access to users' encrypted data.
  • If your organization doesn't permit access to users' encrypted data or private keys, neither key recovery nor data recovery is right for you.

Powerful Capabilities
Windows 2003 PKI provides powerful, centralized, and automatic new key archival and recovery capabilities. The new key archival and recovery service is one of the major reasons why Windows 2003 PKI is a much more mature PKI than its predecessors and (together with other new features) will help Windows 2003 PKI better compete with PKI offerings from other vendors.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
    There are no comments to display. Be the first one!
You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.