Configuring Key Recovery for Keyfactor Command

The following instructions for configuring CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA.-level key recovery within Keyfactor Command assume that your Microsoft CA is already configured for key recovery and that you have the key recovery agent (KRA) certificate available as a PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. file for import on the Keyfactor Command administration server. Instructions for configuring key recovery on a Microsoft CA are beyond the scope of this guide.

Tip:  CA-level key recovery is supported for Microsoft CAs to allow recovery of private keys for certificates enrolled outside of Keyfactor Command. CA-level key archiving is not supported for enrollments done through Keyfactor Command. CA-level key recovery is not supported for EJBCA CAs. For enrollments done through Keyfactor Command for either Microsoft or EJBCA CAs, use Keyfactor Command private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. retention (see Details Tab).

To configure your Keyfactor Command administration server to support key recovery:

  1. Login on the Keyfactor Command administration server as the service account under which the Keyfactor Command application pool is running and open a command prompt. Alternately, if you have previously logged on as this service account and created a user profile for the service account, you can open a command prompt as the service account using Shift-Right-Click and choose "Run as different user". Within the command prompt type the following to open the certificates MMC for the service account user:

    certmgr.msc
  2. Import the KRA PFX file into the service account user’s personal certificate store.

This process needs to be repeated using the KRA certificate(s) from each CA for which you want to enable recovery within the Management Portal.

Note:  To provide additional security over KRA private key(s), Keyfactor strongly recommends the use of a Hardware Security Module (HSM) such as the Thales NetHSM.
Tip:  CA-level key recovery is not supported for EJBCA CAs. Instead, use private key retention within Keyfactor Command (see Details Tab).