A key recovery agent is able to extract the private key from an issued certificate from the certificate services database on a certificate authority. Out of the box, Active Directory Certificate Services on Windows Server 2008 does not have a key recovery agent. That means that if a private key from an issued certificate is lost, it is pretty much gone for good. If you’ve used certificate issued from a CA to support EFS, that EFS encrypted data is going to be pretty difficult to recover.

To get key recovery working, you need to do a couple of things. The first is to create a key recovery agent, which is the user account that will be able to perform key recovery. To do this you need to:

  1. Configure the CA to issue Key Recovery Agent certificates. This can be done through the Certificate Authority MMC by right clicking on the Templates node and selecting “New Certificate Template To Issue”. To make this more secure, edit the properties of the Key Recovery Agent so that only members of a specific security group can enroll in the certificate.
  2. Issue a Key Recovery Agent certificate to a designated user account.
  3. Configure the templates of the certificates that you want to issue with the Archive Subject’s Encryption Private Key option enabled on the Request Handling tab of the certificate template’s properties. You can do this by using the Certificate Templates snap-in. In some cases, you will need to create a duplicate template that supersedes the original to enable this functionality.
  4. Edit the CA’s properties. On the Recovery Agents tab, select Archive the Key, specify the number of recovery agents to configure and then add the recovery agent. You can only add a recovery agent if a Key Recovery Agent certificate has already been issued