Hi,
We have 2 tier CA architecture wherein we have one offline root CA and one Sub-ordinate issuing CA. The users in the organisation are using certificates for EFS. I have enabled key archiving for the EFS certificates so that when users misplace their private keys we can retrieve the same from server and decrypt their data.
I have followed the below procedure to enable KRA on the server
- Designated an existing user to serve as the key recovery agent.
Configured the key recovery agent certificate template and enroll the key recovery agent for a key recovery agent certificate.
Registered the new key recovery agent with the CA.
- Enabled Key recovery for the EFS certificate template.
We have mixed Domain Controllers consist of Windows 2003 and Windows 2008 Servers. I am facing some issues which are as follows:
- If I apply the EFS Group Policy through Windows 2008 DC(As it is not available in Windows 2003) will it get applied on all desktops including Windows XP.
- If after enabling the Archiving, I want to disable the feature how should I go about it and if any user has already enrolled certificate from new template, then what will be the impact on him when I disable Key archiving on the template.