Introduction
This article will describe how to setup and configure the vSEC:CMS such that it will be possible to issue and manage credentials where the certificate private key(s) can be archived and later recovered to the credential if required. The article will cover the following:
- Configure a key archival template;
- Configure a key recovery template;
- Issue a credential where the key is archived;
- Issue a credential where the key is recovered from the already archived key.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
What is Key Archival and Key Recovery in vSEC:CMS?
Key archival is the storing of a private key of a certificate such that it can be recovered at a future time if required. Key recovery does not recover encrypted data or messages, but does enable a user or administrator to recover keys that can subsequently be used for data recovery, that is, data decryption.
Keys that are archived will be associated with the DN of the user, the credential template used and the credential key container that the credential was issued to. Therefore, it will only be possible to restore keys to the particular user DN that the original key was archived for.
If the vSEC:CMS is used to archive and retrieve keys then all archived keys created by the vSEC:CMS are stored encrypted in the vSEC:CMS database with a 128-bit AES key. The AES key is created when you initialize the vSEC:CMS on first use and stored encrypted in the CMS database using a key diversified by the master key of the vSEC:CMS. The master key is stored in the vSEC:CMS key store. At runtime, the AES key is held in memory of the Windows service that the vSEC:CMS is running under.
When an archived key is being recovered the vSEC:CMS will always restore the certificate that was issued originally for that key.
Key archival and key recovery in the vSEC:CMS has the following implementation:
- There is no support for Microsoft Key Recovery Agent (KRA);
- It is not possible to export and/or import PKCS#12 certificate files for key archiving;
- If a credential template is configured for multiple role support it will not be possible to configure key archival in this case;
- Advanced transaction log search filtering for key specific transactions is not supported;
- The implementation only supports RSA keys.
Configure Smart Card Access
Typically the credential access is already set to the correct type but for completeness we will cover this in the article.
From Options - Smart Card Access attach the credential that you will manage with the vSEC:CMS. If the credential is known you should see the credential filtered and shown from the list. If nothing is shown then follow the instructions in the article Add Credential Configuration for adding a new template.
Credential Configuration for Key Archival
1. From Templates – Card Templates click the Add button.
Click the Edit link beside General. Enter a template name and attach a credential that is to be managed by this template and click the Detect button and wait for the vSEC:CMS to detect the credential and click Ok.
Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.
2. Click the Edit link for Issue Card. In the User ID Options section enable Assign user ID and select the AD connection in the drop-down list.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the certificate that will be issued and in the key Archival Settings enable Archive Key and Generate new key. Leave all other settings as is. Refer to the article Card Template Settings and look in the section Enroll Certificate Options for more details on these options. Click Ok to save and close the dialog.
Allow all other defaults for the Issue Card dialog and click Ok to save and close.
3. Click Ok to save and close the credential template configuration.
It is important that the Windows certificate template used here is configured on the CA to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop down list select the Certificate Request Agent option.
Credential Configuration for Key Recovery
1. From Templates – Card Templates click the Add button.
Click the Edit link beside General. Enter a template name and attach a credential that is to be managed by this template and click the Detect button and wait for the vSEC:CMS to detect the credential and click Ok.
Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.
2. Click the Edit link for Issue Card. In the User ID Options section enable Assign user ID and select the AD connection in the drop-down list.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Restore key from archive radio button and select the archive key template previously configured above in the Key to restore drop-down list. Enable the Restore last checkbox and enter a value of 1 for the number of archived Key(s) that we will restore in this example. Refer to the article Card Template Settings and look in the section Enroll Certificate Options for more details on these options.
Click Ok to save and close the dialog.
Allow all other defaults for the Issue Card dialog and click Ok to save and close.
3. Click Ok to save and close the credential template configuration.
Issue Credential with Key Archival
Firstly, we will issue a credential with the private key archived by the vSEC:CMS.
From the Lifecycle page attach a blank credential to your host.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.
From Repository - Archived Keys you can verify that the key was archived and view details around this.
Issue Credential with Key Recovery
Now we will issue a new credential with the private key that was archived when we issued the credential with key archival.
From the Lifecycle page attach a blank credential to your host.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to.
Select the user that you issued the credential with an archived key earlier. A message dialog will appear informing the operator that a credential is already issued to the user. Just select Yes to continue.
Then at the end of the process you will get a short summary dialog of what operations were performed.
You can verify that the certificate and archived key have been restored and are the same as what was issued to the user during the Issue Credential with Key Archival flow. From Actions - Certificate/key(s) you can see details on this.
Key Archival with Entrust CA
If an Entrust CA is used the configuration settings will be different from what is available if a MS CA is used. The archive key option will be automatically enabled but it will not be possible to disable this if the archive key feature is enabled from the CA connection template. Enable the Generate new key option if it is required that a new key is generated when a card is issued. Enable the Restore last option if it is required that key(s) already archived should be restored when the card is issued in a restore flow. Enter the number of key(s) that should be restored in the field available.
If key archival is used in an Entrust CA configuration in the vSEC:CMS it will be necessary to enable registry keys to support this since the CSP used is MS base smart card crypto provider which by default disables the importing of encryption keys on to a credential.
On a 64-bit operating system enable the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:00000001
"AllowPrivateExchangeKeyImport"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:00000001
"AllowPrivateExchangeKeyImport"=dword:00000001
On a 32-bit operating system enable the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:00000001
"AllowPrivateExchangeKeyImport"=dword:00000001
Key Archive Housekeeping
From the Repository - Archived Keys page the archived keys will be listed. If it is required to delete an archived key, for example a key may no longer be used or a key may have been replaced by another key, select the key and click the Delete button. This will result in the key being removed from the vSEC:CMS database. Therefore, it will not be possible to restore the deleted key if required in the future.
It is possible to configure a key recovery role that can be configured for a particular operator, thereby controlling what operations an operator can perform around key recovery. From the Options - Roles page it is possible to configure these settings.