Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled for the key recovery certificate and be registered as the recovery agent for the certification authority (CA).

You must be a CA administrator to complete this procedure. For more information, see Implement Role-Based Administration.

To enable key archival for a CA
  1. Open the Certification Authority snap-in.

  2. In the console tree, click the name of the CA.

  3. On the Action menu, click Properties.

  4. Click the Recovery Agents tab, and then click Archive the key.

  5. In Number of recovery agents to use, type the number of key recovery agents that will be used to encrypt the archived key.

    The Number of recovery agents to use must be between one and the number of key recovery agent certificates that have been configured.

  6. Click Add. Then, in Key Recovery Agent Selection, click the key recovery certificates that are displayed, and click OK.

  7. The certificates should appear in the Key recovery agent certificates list, but their status is listed as Not loaded.

  8. Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status of the certificates should be listed as Valid.

The list of Key recovery agent certificates can include the status values and causes in the following table.

Status Cause

Expired

The certificate's expiration date has passed, so the certificate cannot be used.

Invalid

The certificate may be malformed or causes an error when loading.

Not found

The certificate was configured but cannot be located by the CA.

Not loaded

The certificate was configured but has not yet been loaded by the CA.

Revoked

The certificate has been revoked and cannot be used.

Untrusted

The root CA for this certificate is not trusted by the CA.

Valid

The certificate has been loaded by the CA and is operating normally.

If the Number of recovery agents to use value exceeds the number of recovery agent certificates with the status of Valid, enrollment requests that require key archival will fail.

Additional references