Windows Server 2003 PKI Key Archival and Recovery

Key archival and recovery are public key infrastructure (PKI) services that organizations can use to recover lost, stolen, or unavailable private encryption keys. Key archival and recovery are requirements in PKI-enabled applications, such as secure mail applications, that deal with persistent data. Microsoft first introduced automatic and centralized private key archival and recovery in the Key Management Service (KMS), part of the Secure MIME (S/MIME)­based mail application in Microsoft Exchange Server 4.0 and later. (Exchange Server 2003 doesn't come with a KMS, so if you have an operational KMS in an Exchange 2000 Server environment and plan to migrate to Exchange 2003, you must migrate the KMS key archival database to the Windows Server 2003 Certification Authority—CA—key archival database. For more information about this process, see the sidebar "Migrating the Exchange KMS Database.") Windows 2003 key archival and recovery build on the KMS concept: Each Windows 2003 enterprise CA includes an automated and centralized key archival and recovery service. (PKI users can also manually perform key archival and recovery, as the sidebar "Manual Key Archival and Recovery," page 8, explains.) Let's examine how to set up automatic Windows 2003 PKI key archival and recovery and how archival and recovery work. . . .