A key recovery agent is a person who is authorized to recover a certificate on behalf of an end user. Because the role of key recovery agents can involve sensitive data, only highly trusted individuals should be assigned to this role.

To identify a key recovery agent, you must configure the Key Recovery Agent certificate template to allow the person assigned to this role to enroll for a key recovery agent certificate.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To configure the Key Recovery Agent certificate template
  1. Open the Certificate Templates snap-in.

  2. In the console tree, right-click the Key Recovery Agent certificate template.

  3. Click Duplicate Template.

  4. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

  5. In Template, type a new template display name, and then modify any other optional properties as needed.

  6. On the Security tab, click Add, type the name of the users you want to issue the key recovery agent certificates to, and then click OK.

  7. Under Group or user names, select the user names that you just added. Under Permissions, select the Read and Enroll check boxes, and then click OK.


    To enhance security and control of the key recovery process, you should not use autoenrollment for key recovery agent certificates.

Before the new key recovery agent can enroll for a certificate based on the new certificate template that you created, the template must first be added to the CA. For information about how to complete this procedure, see Add a Certificate Template to a Certification Authority (http://go.microsoft.com/fwlink/?LinkId=147110).

If the certificate was configured with Read and Enroll permissions, the new key recovery agent must use the Certificates snap-in and the Certificate Import Wizard to obtain a key recovery certificate. If the certificate template was configured with Autoenroll permissions, the certificate will be issued automatically the next time the user logs on to the network.


By default, the CA certificate manager approval check box is selected on the Issuance Requirements tab. Unless you clear this check box, a CA manager must approve the certificate request before a key recovery agent certificate is issued.

The next procedure, Enable Key Archival for a CA, cannot be completed until the key recovery agent has obtained this certificate.

Additional references