Exporting and Converting Archived Keys from Windows Server ADCS

Managing certificates and their private keys efficiently is crucial for the security of any system. Windows Server Active Directory Certificate Services (ADCS) offers a robust platform for managing certificates within a Windows environment. However, there might arise scenarios where you need to export archived keys from the Certification Authority (CA) and convert them to a different format, such as pfx. This procedure ensures that you can securely handle these sensitive pieces of information while maintaining the integrity of your system. 

[ADCS] Export archived private keys from the certification authority database

Prerequisites: 

Before delving into the process of exporting and converting archived keys, it's essential to ensure that you have the necessary permissions and tools. You'll need "Manage CA" and "Issue and manage Certificates" permissions from the certificate authority. Additionally, access to tools such as MMC (Microsoft Management Console) for adding and PowerShell. 

The permissions on the Certificate Authority (CA) typically include the ability to "Manage CA" and "Issue and manage Certificates," granting users the authority to oversee and control the issuance and management of certificates within the system.  

To facilitate these tasks, various tools are available, such as the CLI like PowerShell, which offers flexibility and scripting capabilities for efficient management. Additionally, the MMC serves as a graphical interface, enabling users to add crucial components such as Certificate Templates, Certification Authority, and Certificates (Users), streamlining the management process.  

To access these tools and components through MMC, users can follow these steps:  

1. Open MMC 

2. Navigate "File" menu 

3. Select "Add” or “Remove Snap-ins" 

Enable Key Archival 

The first step is to enable key archival within the ADCS. This involves configuring certificate templates and the CA itself to archive private keys. Here's how you can do it:  

1. Ensure that the current user can enroll in a Key Recovery Agent Certificate by adjusting permissions in certificate templates. Steps: 

Properties > Security 

Note: If the Key Recovery Agent template is not available in Certificate templates section:  

Certificate templates > New > Certificate template to issue > Select Key Recovery Agent 

2. Enroll a certificate from the Key Recovery Agent template and validate the request. 

Certificates > Current User > Personal > All tasks > Request new certificate.  

Here, enroll on the previously issued Key Recovery Agent template (the certificate request may need validation in the pending requests of the CA) 

 3. Configure the CA to archive keys by selecting the appropriate certificate in the Recovery Agents tab. 

Go to “properties” tab of CA (that will be used for Key Archival) > In the “Recovery Agents” tab, select archive the key.  

You should prompt with the previously issued key recovery agent certificate. 

 4. Modify the certificate template used for issuing certificates to archive the subject's encryption private key. 

 (Place in the certificate template that will be used to issue certificates from which the private key should be archived): 

Properties > Request Handling tab > Select Archive subject's encryption private key 

 Now the certificates issued from this template will see their private keys archived within the ADCS server. 

 5. Make sure to make this certificate template available in the list of Certificate templates in the certification authority snap-in. 

Exporting the archived private keys 

1. To retrieve the archived keys from the CA database, it is possible to use the following command in a folder where the user has written permissions: 

certutil -getkey {serial number of the certificate}

2. By adding a filename afterwards, it can be saved as a .bin or .pfx file. 

This will either retrieve an archived private key recovery blob, generate a recovery script, or recover archived keys.

3. Otherwise, it is possible to list the certificates concerned, export them to a list and then retrieve the private keys to then convert them. 

certutil -view -restrict "KeyRecoveryHashes>0" -out SerialNumber csv

 The following attributes can also be included: 

• Request: describes the unique identifier of the certificate in the CA database. 

• Requester Name: describes the certificate requester. 

• Serial Number: describes the unique serial number of the certificate. 

• Not Before: describes the beginning of the validity of the certificate. 

• Not After: describes the end of validity of the certificate. 

• Key Recovery Hashes: describes with which Key Recovery Agent certificates the private key was archived. If the key is archived with multiple KRA certificates, they are separated by a "+" sign. For recovery, the private key of one of the KRA certificates must be present. 

For example: 

certutil -view -restrict "KeyRecoveryHashes>0" -out RequestId,RequesterName,SerialNumber,NotBefore,NotAfter,KeyRecoveryHashes csv 

 The previously mentioned outputs can be saved to a file by adding “> Pathname\filename.txt” 

4. To export the individual keys, run the following command: 

Import-Csv -Path filename.txt | ForEach-Object -Process { certutil -getkey $_."Serial Number" "$($_."Serial Number").bin" } 

Notes: 

•  This command will generate one bin file per key.  

• The -getkey argument specifies that the key should be exported from the certification authority database to a file.  

These keys are still enciphered, to decipher those keys they must be converted to pfx format (PKCS#12).

Converting the keys to .pfx format 

To proceed successfully, ensure all Key Recovery Agent (KRA) certificates, along with their private keys, are installed or accessible. If not, import any missing KRA certificates to prevent this error: 

Decrypt error: Certificate and private key required for decryption not found.  

To consider: In the following example, the same password is used for all exported keys - thus the security of all keys is bound to the knowledge of this one password.  

This approach is therefore not recommended in practice. Strong, randomly generated passwords and, above all, passwords that are unique for each key should be used, which could be realized with correspondingly more complex program logic. 

1. To convert the exported keys to .pfx format (PKCS#12), run the following command and specify the wanted password: 

Import-Csv -Path keyscsv.txt | ForEach-Object -Process { certutil -p "P@$$w0rd" -recoverkey "$($_."Serial Number").bin" "$($_."Serial Number").pfx"}  

Note: If the -p tag is not specified, the user will be prompted for a password through the CLI.

Conclusion

Exporting and converting archived keys from a Windows Server ADCS is a critical process in certificate management. By following the steps outlined above, you can ensure that your confidential information remains secure while still being accessible for necessary operations. It is essential to adhere to best practices, such as using strong, unique passwords and maintaining appropriate permissions, to safeguard your system against potential security threats and the tools offered by EVERTRUST present a robust alternative to Microsoft ADCS, offering significant utility in both scenarios.  

Whether you are looking to enhance security, streamline processes or modernize your certificate lifecycle management, EVERTRUST provides powerful solutions to meet your needs - you can not only optimize operational efficiency, but also fortify your digital infrastructure against emerging threats, ensuring a resilient and agile approach to certificate management in today's rapidly evolving landscape.