1. | Create a EFS Key Recovery Agent custom template. |
2. | Create a new Windows group, EFS Key Recovery Agents. |
3. | Give the new group Read and Enroll permissions on the template. |
4. | Add users to the new Windows group and have them request Key Recovery Agent Certificates. |
5. | Enable Key archival on the CA and add the Key Recovery Agent Certificates. |
6. | Create a new EFS template that allows key archival. |
7. | Give those users who are allowed EFS permission the Read and Enroll permissions on the new template. |
8. | Replace or issue new EFS certificates. |
1. | Open the Certificate Templates console by right-clicking the Certificate Templates node in the Certification Authority console and clicking Manage. |
2. | Right-click the Key Recovery Agent certificate and select Duplicate template. |
3. | Name the certificate template EFS Key Recovery Agent or some other descriptive name. |
4. | Click OK. |
5. | Double-click the template to open it. |
6. | Select the Issuance Requirements Page and select CA certificate manager approval, as shown in Figure 13-30.Figure 13-30. Make sure that the Key Recovery Agent Certificate is NOT automatically published.
 |
7. | Select the Security page and use the Add button to add the EFS Key Recovery Agent Group, as shown in Figure 13-31.Figure 13-31. Add the Recovery Agent group to the certificate template.
 |
8. | Click OK to return to the console. |
9. | Select the EFS Recovery Agent group and give it Enroll and Autoenroll permissions. |
10. | From the CA console, right-click the Certificate Templates node, select New, and then Certificate Template to Issue. |
11. | In the Enable Certificate Templates box, as shown in Figure 13-32, select EFS Key Recovery Agent and click OK. [View full size image] |
1. | Add the users who have been granted key recovery permission to the new Windows group. A good practice is to create accounts for use as key recovery agents. These accounts are only used to obtain the key recovery certificate |
2. | Log on using an account that has been given key recovery rights. |
3. | Open a Certificates console by adding the snap-in to an MMC. |
4. | Right-click the Personal\Certificates store and select All tasks. Request a new Certificate. |
5. | Click Next on the Request a New Certificate Wizard welcome page. |
6. | Select the EFS Key Recovery Agent certificate. |
7. | Enter a friendly name, click Next, and then click Finish. |
8. | Open the Certification Authority console. |
9. | Right-click the Pending Requests, and select the certificate just requested. |
10. | Right-click this certificate and click Issue. |
1. | Open the Certificate Templates console by right-clicking the Certificate Templates node in the Certification Authority console and clicking Manage. |
2. | Right-click the Basic EFS certificate and select Duplicate template. |
3. | On the General page, name the certificate template EFS Archival or some other descriptive name. |
4. | On the Request Handling page, select Archive Subject's Encryption Private Key, as shown in Figure 13-33, and then click OK.Figure 13-33. The certificate won't be marked as good until the process is complete.
 |
5. | On the Superceded Templates page, select Supercede and select the EFS certificate. |
6. | Select the Security page, add those groups who will be allowed to use EFS, and then give them Read and Enroll permissions on the template. |
7. | Click OK to return to the console. |
8. | From the CA console, right-click the Certificate Templates node and select New, then Certificate Template to Issue. |
9. | In the Enable Certificate Templates box, select EFS Archival and click OK. |
1. | Open the Certificate Authorities console. |
2. | Right-click the CA and select Properties. |
3. | Select the Recovery Agent page. |
4. | Select Archive the Key. |
5. | Enter 1 for the Number of Recovery Agents. |
6. | In the Key Recovery Agents Certificates box, as shown in Figure 13-34, select an account that has been issued a certificate.Figure 13-34. Select the Key Recovery Agent certificate.
 |
7. | Select the agent and click OK. The certificate will be x'd, as shown in Figure 13-35. After certificate services are restarted, the x will disappear, as shown in Figure 13-36, to indicate that it is accepted and that key archival has been configured. (On the screen, the x is red and the unx'd certificate is green.)
 Figure 13-36. After certificate services are stopped and started, the certificate will be approved.
 |