You might know that there is the key archival option included only in the Windows Enterprise editions on 2003, 2003 R2, 2008 and 2008 R2.
It is used to have a backup of each user certificate in the case that the user lost her certificate or she left the company. Make sure that you follow all legal procedures. But back to the technical part. If you follow the standard procedures in all Microsoft documents you have to deal with certificate templates, publish the template, deal with access permissions, log on as a user and request a key recovery agent (KRA) certificate and the private key is stored on a windows machine.
With openssl you can create private key and certificate on a secured standalone machine, Windows or Unix does not matter. For example copy the KRA certificates to Smart Cards and only copy the public part of the certificate to the CA.
Howto:
- add in openssl.cnf NEW_OIDS section the line
KEY_RECOVERY_AGENT=1.3.6.1.4.1.311.21.6
- add in openssl.cnf v3_ca section two lines
keyUsage=keyEncipherment
extendedKeyUsage=KEY_RECOVERY_AGENT
- remove or comment line basicConstraints = CA:true
- generate a new RSA key
openssl genrsa -aes256 -out kra1.key 2048
- generate a self signed certificate for x days, x can max to the CA cert validity
openssl req -new -x509 -days 365 -key kra1.key -config openssl.cnf -out kra1.cer
- copy only ht kra1.cer to the CA and add import it also to the Root CA store to make it valid for the CA service. To add it to the Root CA store is only necessary on the CA itself, there is no need to do so on any other servers or clients in your environment.
- Configure the KRA1 certificate in the CA.
Certutil -f -enterprise -addstore KRA KRA1.cer
Certutil -f -enterprise -addstore Root KRA1.cer
Go through the same procedure for a KRA2.
If you wanna have that as a PFX file:
openssl pkcs12 -export -in kra1.cer -inkey kra1.key -out kra1.pfx
Best practise:
- Never copy the private key to the CA itself
- Secure your KRA with password or move it to a set of smart cards
- Have at least 2 KRA installed and set the CA to use all!!
- Use at least a 2048 bit key
- Verify access to KRA on a regular basis, e.g. every 12 months
- Have a approved process for key escrow and data recovery