Share via

Private key archival feature not working as expected

David Buřič 0 Reputation points
2026-03-18T09:08:52.5833333+00:00

Hello,

recently I have realized that my private keys are not archived at my issuing CA, even when the Recovery agent is configured, even that the clients are supposed to send the "blob" with the private key. But when i try to recover the private key i receive a message that the blob is empty.

KRA is configured correctly. The certificate is valid. Templates have the archive flag, but it just doesnt work. I tested from multiple stations with/without EDR in order tobe sure that no security is in my way. I tested EFS templates and also SMIME (Secure Email) templates. Certificates are autoenrolled and also tried to enroll via mmc.

I tried with Legacy CSP also, but this does not solve anything.

I have the CA running on Windows Server 2019 with latest patches. Clients are mostly W11 24H2, but i tried older clients. Results is the same.

Im ofc willing to provide other information. I just wanted to know if anybody else perhaps faced this problem as well.

Thanks.
David

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Buřič 0 Reputation points
    2026-03-18T09:29:20.95+00:00

    Thank you, this is helpful.

    To clarify the practical deployment scenario in our environment:

    • We use AD CS Enterprise subordinate CAs
    • We issue user certificates for S/MIME and EFS
    • The template has “Archive subject’s encryption private key” enabled
    • The CA has valid KRA certificates configured before issuance
    • However, certificates enrolled via our current Windows enrollment path still result in empty archived key blobs or CERTSRV_E_ARCHIVED_KEY_REQUIRED

    Could you please clarify:

    1. Which built-in Windows enrollment methods actually submit CMC requests suitable for key archival for user certificates?
    2. Does standard enterprise autoenrollment submit a CMC request for such templates?
    3. Does MMC / certmgr.msc / Request New Certificate submit CMC or PKCS#10 in this scenario?
    4. Is custom enrollment through CertEnroll (IX509CertificateRequestCmc) required if we want reliable private key archival for user S/MIME/EFS certificates?

    We want to understand whether this is expected behavior of the built-in enrollment clients, or whether a custom CMC-based enrollment flow is required.

    0 comments
  2. Q&A Assist
    2026-03-18T09:09:09.84+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    On Windows Server–based CAs, key archival only works when all required conditions are met and when the request type supports archival.

    Key points to verify in this scenario:

    1. Key archival is only supported with CMC requests
      • Only CMC requests can be used for key archival. CMC requests are represented by the IX509CertificateRequestCmc interface.
      • If enrollment is occurring via a method that does not generate a CMC request (for example, a different request type), the client will not send the encrypted private key “blob,” and the CA database will not contain an archived key for that certificate.
    2. CA must be configured with valid KRA certificates before enrollment
      • The CA must be configured to issue Key Recovery Agent (KRA) certificates and must already have at least one valid KRA certificate configured before any certificate that requires archival is issued.
      • During archival, the CA:
        1. Uses its exchange certificate public key to decrypt the private key sent by the client.
        2. Encrypts the private key with the public key in the KRA certificate (or with each KRA public key if multiple KRAs exist).
        3. Stores the encrypted private key in the CA database.
      • If no valid KRA certificate is configured at the time of enrollment, the CA cannot encrypt and store the private key, and later recovery attempts will effectively find an “empty” blob.
    3. Template configuration must require key archival
      • The certificate template used by the clients must have the “Archive subject’s encryption private key” (or equivalent) option enabled.
      • Only encryption keys are archived by default. Keys intended only for signing are not archived, because only the public key is needed to verify signatures.
      • For EFS and S/MIME, ensure the template is configured as an encryption template and that the archive flag is set.
    4. Recovery behavior and what is actually stored
      • An archived key is stored in the CA database as an encrypted PKCS #7 to the KRA certificate(s).
      • When recovery is performed (for example, via certutil -getkey or via ICertAdmin2::GetArchivedKey), the CA returns a PKCS #7 that contains:
        • The KRA certificate(s)
        • The user certificate and chain
        • The CA signing certificate and chain
        • The encrypted private key
      • If the original request did not include an archived private key (for example, non‑CMC request, or no KRA configured at issuance), the returned structure will not contain a usable encrypted private key, and recovery tools will report an empty or unusable blob.
    5. Practical checks
      • Confirm that the CA’s key archival configuration and KRA certificates were in place before any of the affected certificates were issued.
      • Confirm that the enrollment path being used (autoenrollment, MMC, or other) is actually sending CMC requests for those templates.
      • Test with a freshly issued certificate after verifying the above; only certificates issued after correct configuration will have recoverable archived keys.

    If any of these conditions were not met at the time the certificates were issued, those existing certificates will not have recoverable private keys in the CA database; only newly issued certificates after proper configuration will be recoverable.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.