Requesting the Key Recovery Agent Certificate

Important: Define only one Key Recovery Agent.

  1. Connect to Microsoft Certificate Services. You will be asked for a user name and password if you are not already logged on to the CA server domain. This displays the Microsoft Certificate Services Welcome page.

    Note: Log on using the ActivID CMS Server User credentials.

  2. Click Request a certificate.

  3. Click advanced certificate request.

  4. Click Create and submit a request to this CA.

  5. Certificate Template—In the drop-down list, select Key Recovery Agent.

  6. Key Size—Enter the appropriate size, or click the appropriate size in the common key sizes adjacent to the text box.

  7. Select the Mark keys as exportable option.

    Important: Leave the Friendly Name box blank. The Key Recovery Agent certificate MUST NOT have a friendly name.

  8. Click Submit.

  9. Connect to ActivID CMS, and open the Repositories Management page.

  10. In the Certificate Authorities section, locate the CA you want to update, and then click Update. The Certificate Authority Update page is displayed.

  11. Name—Enter a valid, unique name for the CA within ActivID CMS. If Active Directory and the CA are installed on the same host system, then the information in the Active Directory and Certificate Authority boxes should be the same.

  12. Recovery support—Select either the Yes or No option. If you select Yes, then enter the .pfx file path in the Recovery Agent box and type the password in the Recovery Agent’s password text box.

  13. Click Test to check the connectivity result, which will be displayed in Test Report box.

  14. Click Update. A confirmation message is displayed.

For more information, refer to Configuring a PKI Application Using a Microsoft CA.