I'm trying to implement PKI as wide as possble including EFS, sure. I did the following:
1. Created custom V2 template "Custom EFS" based on "Basic EFS", assigned read/enroll/autoenroll for Authenticated Users, tick archive private key, issued.
2. Created user named "EFS Recovery Agent", assigned Domain Admins rights.
3. Created custom V2 template "Custom EFS Recovery Agent", assigned read/enroll/autoenroll for "EFS Recovery Agent", issued.
4. Logged on CA as "Custom EFS Recovery Agent", got the certificate.
5. In Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ Encryption File System launched Add Recovery Agent Wizard and installed the certificate.
And the problem appeared when I decided to set up the recovery agent in CA. I launched certsrv, call "Properties", went to Recovery Agents tab, pressed Add and the following window appeared:
No certificate available
No certificates meet the application criteria
CA doesn't see the certificate that I just installed on the same machine. I rebooted a lot and restarted the service — no effect.
All actions was made on the Enterprise Subordinate CA, thus there were no issues with wrong PC with private keys.
EFS Recovery Agent is in the "Issued Certificated". In "Failed Requests" there are records:
Cannot archive private key. The certification authority is not configured for key archival.
What I missed or misunderstood? Thanks in advance.
PS. Let me know if there is a more suitable forum here.